Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use Gotestwaf to test your WAF detection ability", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "how to use Gotestwaf to test your WAF detection ability" bar!

About Gotestwaf

Gotestwaf, the full name is Go Test WAF, this tool can use different types of attack techniques and bypass techniques to test your Web application firewall detection capabilities. Gotestwaf is an open source project based on Go development, which implements a three-step request generation process that multiplies the Payload of encoders and placeholders. Suppose you define 2 Payload, 3 encoders (Base64, JSON, and URLencode), and 1 placeholder (HTTP GET variable). In this case, Gotestwaf will send 2'3'1'6 requests in the test case.

Payload

You can send Payload strings that support, for example, alert or other more complex things. The current version of Gotestwaf does not support features like macros, but we will add support later. Since this is a YAML string, you can also use binary encoding, please refer to https://yaml.org/type/binary.html for details.

Encoder

The data encoder tool should be suitable for Payload and support Base64 and JSON Unicode encoding (\ u0027 instead of'), etc.

Placeholder

The placeholder is located in the HTTP request and is used to hold the encoded Payload. For example, URL parameters, URI, POST form parameters, or JSON POST body.

Tool installation DockerHub

The latest version of Gotestwaf is available directly from the DockerHub library: https://hub.docker.com/r/wallarm/gotestwaf.

We can directly use the following command to pull the project library locally:

Docker pull wallarm/gotestwaf local Docker to build docker build. -- force-rm-t gotestwafdocker run-v ${PWD} / reports:/go/src/gotestwaf/reports gotestwaf-- url= https://the-waf-you-wanna-test/

After running the command, you will see the waf-test-report-.pdf report file in the reports folder, or you can map it to / go/src/gotestwaf/reports in the container.

Code construction

Gotestwaf supports running on common operating system platforms, including Linux, Windows and macOS. We can compile and build the source code directly on the system with Go environment installed:

Go build-mod vendor tool configuration options Usage of / go/src/gotestwaf/gotestwaf:-- blockRegex string Regex to detect a blocking page with the same HTTP response status code as a not blocked request-- blockStatusCode int HTTP status code that WAF uses while blocking requests (default 403)-- configPath string Path to the config file (default "config.yaml")-- followCookies If true, use cookies sent by the server. May work only with-maxIdleConns=1-idleConnTimeout int The maximum amount of time a keep-alive connection will live (default 2)-maxIdleConns int The maximum number of keep-alive connections (default 2)-maxRedirects int The maximum number of handling redirects (default 50)-nonBlockedAsPassed If true, count requests that weren't blocked as passed. If false Requests that don't satisfy to PassStatuscode/PassRegExp as blocked-- passRegex string Regex to a detect normal (not blocked) web page with the same HTTP status code as a blocked request-- passStatusCode int HTTP response status code that WAF uses while passing requests (default)-- proxy string Proxy URL to use-- randomDelay int Random delay in ms in addition to the delay between requests (default 400)-- reportPath string A directory to store Reports (default "reports")-sendDelay int Delay in ms between requests (default 400)-testCase string If set then only this testcase will be run-testCasesPath string Path to a folder with testcases (default "testcases")-testSet string If set then only this test set's cases will be run-tlsVerify If true The received TLS certificate will be verified-url string URL to check (default "http://localhost/")-verbose If true" Enable verbose logging (default true)-- wafName string Name of the WAF product (default "generic")-- workers int The number of workers to scan (default 200)-- wsURL string WebSocket URL to check tool uses samples to test the OWASP ModSecurity core rule set (CRS)

First, we need to build & run the ModSecurity CRS Docker image. We can automatically pull, build, and run the ModSecurity CRS Docker image using the following command:

Make modsec

Alternatively, you can configure the parameters manually and test them:

Docker pull owasp/modsecurity-crsdocker run-p 8080 docker pull owasp/modsecurity-crsdocker run 80-d-e PARANOIA=1-- rm owasp/modsecurity-crs

You can also choose the PARANOIA level to improve the security level of the test. For more information, please refer to https://coreruleset.org/faq/.

Next, we need to test the security of the ModSecurity CRS Docker image using the following command:

Make scan_local (to run natively) make scan_local_from_docker (to run from docker)

Alternatively, execute manually in Docker:

Docker run-v ${PWD} / reports:/go/src/gotestwaf/reports-network= "host" gotestwaf-- url= http://127.0.0.1:8080/-- verbose

Alternatively, run the test manually (locally) using the following command:

Go run. / cmd-- url= http://127.0.0.1:8080/-- verbose

We can also add additional WebSocket URL detection through the wsURL and verbose parameters, which contains the details of the target process:

Docker run-v ${PWD} / reports:/go/src/gotestwaf/reports gotestwaf-- url= http://172.17.0.1:8080/-- wsURL=ws://172.17.0.1:8080/api/ws-- verbose

The output of the test result of Gotestwaf is as follows:

GOTESTWAF: 2021-03-03 15:15:48.072331 main.go:61: Test cases loading startedGOTESTWAF: 2021-03-03 15:15:48.077093 main.go:68: Test cases loading finishedGOTESTWAF: 2021-03-03 15:15:48.077123 main.go:74: Scanned URL: http://127.0.0.1:8080/GOTESTWAF: 2021-03-03 15:15:48.083134 main.go:85: WAF pre-check: OK. Blocking status code: 403GOTESTWAF: 2021-03-03 15:15:48.083179 main.go:97: WebSocket pre-check. URL to check: ws://127.0.0.1:8080/GOTESTWAF: 2021-03-03 15:15:48.251824 main.go:101: WebSocket pre-check: connection is not available Reason: websocket: bad handshakeGOTESTWAF: 2021-03-03 15:15:48.252047 main.go:129: Scanning http://127.0.0.1:8080/GOTESTWAF: 2021-03-03 15:15:48.252076 scanner.go:124: Scanning startedGOTESTWAF: 2021-03-03 15:15:51.210216 scanner.go:129: Scanning Time: 2.958076338sGOTESTWAF: 2021-03-03 15:15:51.210235 scanner.go:160: Scanning finished Negative Tests:+- -+ -+ | TEST SET | TEST CASE | PERCENTAGE % | BLOCKED | BYPASSED | UNRESOLVED | +-- -+ | community | community-lfi | 66.67 | 4 | 2 | 0 | community | | community-rce | 14.29 | 6 | 36 | 0 | | community | community-sqli | 70.83 | 34 | 14 | 0 | Community | community-xss | 91.78 | 279 | 25 | 0 | | community | community-xxe | 100.00 | 4 | 0 | 0 | | owasp | ldap-injection | 0.00 | 0 | 8 | 0 | | owasp | mail-injection | 0.00 | 0 | 6 | 6 | owasp | nosql-injection | 0.00 | 0 | 12 | 6 | | owasp | path-traversal | 38.89 | 7 | 11 | 6 | owasp | shell-injection | 37.50 | 3 | 5 | 0 | | owasp | sql-injection | 33.33 | 8 | 16 | 8 | owasp | ss-include | 50.00 | 5 | 5 | 10 | | owasp | sst-injection | 45.45 | 5 | 6 | 9 | | owasp | xml-injection | 100.00 | 12 | 0 | | owasp | xss -scripting | 56.25 | 9 | 7 | 12 | | owasp-api | graphql | 100.00 | 1 | 0 | 0 | | Owasp-api | rest | 100.00 | 2 | 0 | 0 | | owasp-api | soap | 100.00 | 2 | 0 | 0 | +-+- -+-- + | DATE: | WAF NAME: | WAF AVERAGE SCORE: | BLOCKED (RESOLVED): | BYPASSED (RESOLVED): | UNRESOLVED: | | 2021-03-03 | GENERIC | 55.83% | 381 | / 534 (71.35%) | 153Universe 534 (28.65%) | 57Clip591 (9.64%) | + -+-+ Positive Tests:+---+---+- -+-+ | TEST SET | TEST CASE | PERCENTAGE % | BLOCKED | BYPASSED | UNRESOLVED | +-- -+ | false-pos | texts | 50.00 | 1 | 1 | 6 | + -- + -+ | DATE: | WAF NAME: | WAF POSITIVE SCORE: | FALSE POSITIVE (RES): | TRUE POSITIVE (RES): | UNRESOLVED: | | 2021-03-03 | GENERIC | 50.00% | 1swap 2 (50.00%) | 1ax 2 (50.00%) | 6Accord 8 (75.00%) | +-- +- -+-+ PDF report is ready: reports/waf-evaluation-report-generic-2021-March-03-15-15-51.pdf project address

Gotestwaf: https://github.com/wallarm/gotestwaf

Thank you for your reading, the above is the content of "how to use Gotestwaf to test your WAF detection ability". After the study of this article, I believe you have a deeper understanding of how to use Gotestwaf to test your WAF detection ability. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.