discussion on waf test method from the perspective of party a

Posted by lipsius at 2020-02-25

Published on September 16, 2016 | classified as safety related | reading times

Many colleagues on the Internet have published articles to discuss various skills around WAF, and many articles share ideas of self-study of WAF. As the safety engineer of Party A in the traditional industry, I try to write down my general idea of WAF type selection test. On the one hand, it is a summary of the completion of a project, on the other hand, it also provides a different perspective to see WAF, hoping to help Party B's friends design and optimize WAF products in the future.

0x01 test ideas

0x02 OWASP TOP10 general defense

0x03 defense around technology

In addition to the defense of the most common attack tactics, WAF should also have the ability to recognize the distorted payload. At present, commercial WAF at home and abroad can recognize more than 99% of the conventional attack methods, the difference is mainly reflected in the analysis ability of various types of encoded distorted payload. There are two kinds of ideas.

Idea 1:

After the WAF grabs the HTTP packet, it performs multiple decoding, extracts the regular result of each decoding, and matches with the feature library. There will be differences in the number of layers that can be decoded. The ASM of F5 can support up to 5 layers and allow users to manually set the number of layers. Others can not specify the number of decoding layers, but they all have corresponding capabilities.

Train of thought two:

Considering that regular matching is prone to false positives and false positives, some manufacturers give up this analysis mode and do semantic analysis instead. This is the case with sqlchop of Changting technology. Details can be read as follows: sqlshop, a new SQL injection detection engine, needs to manually code and transform the payload during the test. In detail:

SQLi deformation

XSS deformation

XSS has the most deformation and WAF has the most serious omission. Who makes HTML use so many tags. The test of this block depends on the amount of XSS payloads collected by testers. I will list only a few common ones for reference:










<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">

<a onmouseover="javascript:window.onerror=alert;throw 1>






File contains bypass



File upload bypass

The main considerations for file upload bypass are as follows:

###The 0x03 scanner defense capability WAF should have the ability to identify the scanner according to the characteristics of the data package and prevent it. Common scanners, such as WVS, sqlmap, netspacer, havij, and appscan, should be used to actually test WAF responses. It should be noted that WAF should not only intercept the packets sent by the scanner, but also indicate in the log what kind of scanner the attacker uses. This is very helpful for the operation and maintenance personnel to analyze the logs. For example, in the actual test, Imperva can accurately identify sqlmap and netsparker. The ASM of F5 can accurately identify WVS and sqlmap. Fortiweb does not have this capability.

The remaining chapters will discuss the following: