[prev in list] [next in list] [prev in thread] [next in thread]
List: pauldotcom
Subject: Re: [Security Weekly] Audit a WAF
From: RAMELLA Sébastien <sebastien.ramella () white-hats ! fr>
Date: 2014-04-08 20:16:50
Message-ID: 92FEE8533CB2574C87C09E91A530DFF40107684A () ex1u ! white-hats ! ads
[Download RAW message or body]
Thanks all,
In my case the WAF is a blackbox, so, before starting I try to evaluate the \
possibilities... My customer have web application with WAF protected and I need \
audited website.
My first approach was to evaluated the WAF in order to have a starting line.
I started with a frame analyzer and good old basic concept and finally I have \
scripted for obtain an basic whitelist.
I now seeking the way to operated with what I found but is realy limited.
RAMELLA Sébastien
Intégrateur systèmes et réseaux / Consultant en sécurité des SI
Microsoft Certified System Administrator
-----Original Message-----
From: securityweekly-bounces@mail.securityweekly.com \
[mailto:securityweekly-bounces@mail.securityweekly.com] On Behalf Of \
Chris Campbell
Sent: mardi 8 avril 2014 18:56
To: Security Weekly Mailing List
Subject: Re: [Security Weekly] Audit a WAF
Are you auditing the WAF and all the associated issues (logging, alerting, signature \
updates, policy updates etc.) or are you auditing the WAF policy and the application \
coverage that it provides?
If it's the latter, and the WAF policy is black box, then I like to see a vuln. \
assessment done with and without WAF coverage to see what the difference is. If the \
policy is available to you then you should be looking for whitelist/blacklist holes, \
examples are where wildcards are used or where there is no input validation or the \
wrong type/length checks in the case of whitelist, or where signature sets aren't \
enabled in the case of blacklist.
If it's the former then standard IPS-like procedures should be in place for updates, \
logging etc. so I would focus on areas where the operational teams may not have \
skills or defined procedures.
Chris.
> On 7 Apr 2014, at 19:27, RAMELLA Sébastien <sebastien.ramella@white-hats.fr> \
> wrote:
> Hello,
> I read several articles about WAF. Mainly methods of bypass.
> Several papers were retained my attention, he was referred to a fuzzer like tool \
> called "Waffun".
> I would like to assess the WAF through a company internal project.
>
> Anyone can share this tool or just inform me, tips, tools similar ... or best \
> practice for evaluate WAF. Thanks in advance.
>
> RAMELLA Sébastien
> Intégrateur systèmes et réseaux / Consultant en sécurité des SI
> Microsoft Certified System Administrator
> __________________________________________
>
>
> _______________________________________________
> securityweekly mailing list
> securityweekly@mail.securityweekly.com
> http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
> Main Web Site: http://pauldotcom.com
_______________________________________________
securityweekly mailing list
securityweekly@mail.securityweekly.com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com
["PGP.sig" (application/pgp-signature)]
_______________________________________________
securityweekly mailing list
securityweekly@mail.securityweekly.com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com
--===============4637772663252552974==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic