PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Security Weekly] Audit a WAF

From: David Maynor <dmaynor () gmail com>
Date: Tue, 8 Apr 2014 00:38:44 -0400
Auditing a WAF isn't hard it just requires know the content the WAF is
protecting and different ways it can be encoded/obfuscated. Most web
auditing tools like Burp Suite,w3af,nikto, or skipfish can be configured to
audit WAFs. Most vulnerabilities you find will come from a gap in what the
content can do and what the WAF developer has chosen to cover. The most
basic example is encoding a char like ' that can be used in SQL Injection
attacks in a different charset that the web app behind the WAF supports but
the WAF itself might night support or be configured to recognize. This
example should be caught by most WAFs but you never know.

The second most likely reason for flaws in WAF products is performance. The
WAF has to protect a web app while it is still available to customers. A
lot of WAF tools err on the side of caution and will let an attack through
if it is taking to long rather than risk introducing downtime into a
customer environment.

One of the most useful things to you can do while auditing a WAF is keep a
sniffer running on the your host. You can review your logs to look at the
actual responses and piece together whether you are making headway or not.
Signs you are making headway include error messages, timeout, unexplained
request rewriting, dropped traffic. You can use tcpdump/wrieshark to log
traffic locally or something with some protocol analysis builtin like
Tenable PVS.

WAF auditing is mostly trial and error, there isn't a magic bullet. The
best tool for auditing them, IMHO, is scapy and a good test environment.


On Mon, Apr 7, 2014 at 2:27 PM, RAMELLA Sébastien <
sebastien.ramella () white-hats fr> wrote:


Hello,
I read several articles about WAF. Mainly methods of bypass.
Several papers were retained my attention, he was referred to a fuzzer
like tool called "Waffun".

I would like to assess the WAF through a company internal project.

Anyone can share this tool or just inform me, tips, tools similar ... or
best practice for evaluate WAF.
Thanks in advance.

RAMELLA Sébastien
Intégrateur systèmes et réseaux / Consultant en sécurité des SI
Microsoft Certified System Administrator
__________________________________________



_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com


_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: