WAF test suite

Need to develop a test suite, as part of current functional tests, to emulate WAF bypassing requests and Web attacks.

Depends on the WAF implementation https://github.com/tempesta-tech/tempesta/issues/2458 : there is no sense to run the scanners if we know that there is no implemented protections, like CSRF or CSP.

### Analyzer + backend

One of the way, probably the simplest and featureful is to use ready vulnerability scanner/analyzer with vulnerable backend. Following analyzers, working as a malicious clients could be emplyed:

- [WAFNinja](https://github.com/khalilbijjou/WAFNinja)
-  [lightbulb-framework](https://github.com/lightbulb-framework/lightbulb-framework)
- [wafw00f](https://github.com/EnableSecurity/wafw00f)
- [w3af](https://github.com/andresriancho/w3af)
- [nmap http-waf-detect.nse script](https://nmap.org/nsedoc/scripts/http-waf-detect.html)
- [Commix](https://github.com/commixproject/commix)
- [Go Test WAF](https://github.com/wallarm/gotestwaf)
- [wfuzz](https://github.com/xmendez/wfuzz)
- [zaproxy](https://www.zaproxy.org/)
 - [nuclei](https://github.com/projectdiscovery/nuclei)
 - [sqlmap](https://github.com/sqlmapproject/sqlmap)

Also consider the [WAF bypass collection](https://waf-bypass.com/)

Backends:
- [Google Gruyere](https://google-gruyere.appspot.com/)
- [DVWA](http://www.dvwa.co.uk/)


### Homebred tests

If the above don't test some of the security issues, then appropriate functional tests, complementing the ready analyzer/backend setup, shall be implemented.

- [ ] HTTP Response Splitting
- [ ] HTTP Request Smuggling (#900, tempesta-tech/tempesta#1296 and cases from https://github.com/tempesta-tech/tempesta/wiki/Web-security#http-request-smuggling)
- [ ] HTTP Parameter pollution
- [ ] Invalid POST arguments boundary (#902)
- [ ] requests with `Content-Type: invalid` (Imperva's vulnerability) and empty `Content-Type` must be blocked.
- [ ] SQL ijections
- [ ] RCE, including in HTTP headers, like [`User-Agent`](https://www.dropbox.com/s/om4yttb6nfix2hk/BSidesAth16_Perform_Effective_Command_Injection_Attacks_Like_Mr.Robot_Final.pdf)
- [ ] filtering passive XSS attacks like `http://www.site.com/page.php?var=<script>alert('xss');</script>`
- [ ] test URI and POST attacks using decodings (see tempesta-tech/enterprise#2)
- [ ] Check that `Host` header injections are blocked in default configuration: `Host: mysite:”><xss>`, `Host: mysite “><xss>`
- [ ] [Exploiting URL for SSRF](https://www.youtube.com/watch?v=2MslLrPinm0)
```
        http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
        http://127.0.0.1:11211:80/
        http://google.com#@evil.com/
        ... and others
```
- [ ] HTTP filtering proxy evasions (evade [HTTP adjustment code](https://github.com/tempesta-tech/tempesta/wiki/Modify-HTTP-Messages) by mangling HTTP headers in assumption that a prixy and target HTTP server process them in different way), such as insertion of extra spaces, tabs, 0x00–0x20, and so on, e.g. `GET / HTTP/1.1\r\n\sHost\x4:\tfoo  \r\n`. The main point is if we do not block some of such manglings (i.e. it's allowed by RFC), then we must correctly perform [HTTP message modifications](https://github.com/tempesta-tech/tempesta/wiki/Modify-HTTP-Messages) for such headers. 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

WAF test suite #834

Analyzer + backend

Homebred tests

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

WAF test suite #834

Description

Analyzer + backend

Homebred tests

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions