Penetration Testing mailing list archives
Re: WAF Testing..suggestions??
From: bin4ry <bin4ry () theknetgroup org>
Date: Wed, 01 Sep 2010 10:58:44 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey False, one thing you should keep in mind: While i was pentesting mod_security and a bunch of commercial WAFs, i recognized that most of the products work pretty well with popular assessment tools (w3af, etc.). They detectedmost of the attacks. Afterwards i setup a vulnerable website and tried to manually attack it. There was a huge difference: A lot of manuall attacks were not recognized. I guess this is because most of those WAF vendors try to show how good their product is by running automated pentests which such tools. Therefore their products seem to be optimized for such scenarios. So to really get a picture about a WAF's performance, handcrafted attacks are a must! Cheers Am 27.08.2010 21:59, schrieb Dotzero:
Try waffit - http://code.google.com/p/waffit/source/checkout On Mon, Aug 23, 2010 at 11:16 AM, false <jctx09 () yahoo com> wrote:I need to test my WAF. I want to set up a simple network in the lab
like this:
XP or Linux client <--> WAF <--> Honeypot/test webserver 1) Does anyone have any suggestions on what I can use to
simulate/generate attacks/suspicous traffic towards the weberver from my client?
2) Is there a honeypot image out there that I can download that would
be good to be the role of my test
webserver? Any suggestions or ideas are very much appreciated. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMfhXEAAoJELgHfGPPLPuOCsIH/0T/XiFcQwb+LF392puLGvum v15NeBJYbUkX7T/gd051UUma1mBcvrtd/fKf2m3zu5YKkqrzchTE0JywJgG41dO1 pC7lZiiM9QyP79FlcnugEVZDVsiVQ67FzRgS/y0ZP6bSVyx8kJWFmf4IwpQbW/lo FK3anUZ7DzWR0kMqOr4BMLhoHhJopP4Mav7P8+gHHh68HUOZIunpd4d9R5e/SVJM GZf8FGtT1YJdRaxk0xx0tYnPimUmJTb7yRk2vNcZm9h7rE1R1ZSb5r3TvsOG5tfg x99SrElqxL2ofj3CvrNjbspfMD/k3rJahdb7jRbRCCh1szrIHrMV8L5FScMceE0= =9zut -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: WAF Testing..suggestions?? Yiannis Koukouras (Sep 01)
- <Possible follow-ups>
- Re: WAF Testing..suggestions?? bin4ry (Sep 01)
- RE: WAF Testing..suggestions?? K K Mookhey (Sep 07)
- Re: WAF Testing..suggestions?? Dotzero (Sep 08)
- RE: WAF Testing..suggestions?? K K Mookhey (Sep 07)