PaulDotCom mailing list archives
Re: [Security Weekly] Audit a WAF
From: David Maynor <dmaynor () gmail com>
Date: Tue, 8 Apr 2014 00:38:44 -0400
Auditing a WAF isn't hard it just requires know the content the WAF is protecting and different ways it can be encoded/obfuscated. Most web auditing tools like Burp Suite,w3af,nikto, or skipfish can be configured to audit WAFs. Most vulnerabilities you find will come from a gap in what the content can do and what the WAF developer has chosen to cover. The most basic example is encoding a char like ' that can be used in SQL Injection attacks in a different charset that the web app behind the WAF supports but the WAF itself might night support or be configured to recognize. This example should be caught by most WAFs but you never know. The second most likely reason for flaws in WAF products is performance. The WAF has to protect a web app while it is still available to customers. A lot of WAF tools err on the side of caution and will let an attack through if it is taking to long rather than risk introducing downtime into a customer environment. One of the most useful things to you can do while auditing a WAF is keep a sniffer running on the your host. You can review your logs to look at the actual responses and piece together whether you are making headway or not. Signs you are making headway include error messages, timeout, unexplained request rewriting, dropped traffic. You can use tcpdump/wrieshark to log traffic locally or something with some protocol analysis builtin like Tenable PVS. WAF auditing is mostly trial and error, there isn't a magic bullet. The best tool for auditing them, IMHO, is scapy and a good test environment. On Mon, Apr 7, 2014 at 2:27 PM, RAMELLA Sébastien < sebastien.ramella () white-hats fr> wrote:
Hello, I read several articles about WAF. Mainly methods of bypass. Several papers were retained my attention, he was referred to a fuzzer like tool called "Waffun". I would like to assess the WAF through a company internal project. Anyone can share this tool or just inform me, tips, tools similar ... or best practice for evaluate WAF. Thanks in advance. RAMELLA Sébastien Intégrateur systèmes et réseaux / Consultant en sécurité des SI Microsoft Certified System Administrator __________________________________________ _______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 07)
- Re: [Security Weekly] Audit a WAF David Maynor (Apr 08)
- Re: [Security Weekly] Audit a WAF TAS (Apr 08)
- Re: [Security Weekly] Audit a WAF Chris Campbell (Apr 08)
- Re: [Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 08)