Web Application Firewall (WAF) testing Framework

Dear Information Security Hero's, I planned to share some tools which really help you while implementing WAF.

Sometime after completing the installation customer will ask "I did not see any attacks, is your WAF working fine ?? "

So, to avoid this kind of question, Use the below tool that enables you to evaluate the security efficacy of your web application security solution Unlike other application scanners, which only check for vulnerabilities, it generates both legitimate traffic and attacks traffic to determine if your security solution stops attacks without blocking valid requests.

Here only providing top tools only...

LightBulb Framework

The framework consists of two main algorithms: GOFA: An active learning algorithm that infers symbolic representations of automata in the standard membership/equivalence query model. Active learning algorithms permit the analysis of filter and sanitizer programs remotely, i.e. given only the ability to query the targeted p Microsoft's WAF Bench (WB) Tool Suits program and observe the output.

SFADiff: A black-box differential testing algorithm based on Symbolic Finite Automata (SFA) learning Finding differences between programs with similar functionality is an important security problem as such differences can be used for fingerprinting or creating evasion attacks against security software like Web Application Firewalls (WAFs) which are designed to detect malicious inputs to web applications.

Link: https://github.com/lightbulb-framework/lightbulb-framework

Imperva's WAF test Framework

This has come from one of the reputed OEM, who is the leader in Gartner's WAF-report.

The WAF Testing Framework is licensed under the terms of the Affero General Public License version 3.

Link: https://www.imperva.com/lg/lgw_trial.asp?pid=483

Microsoft's WAF Bench (WB) Tool Suits

WAF (Web Application Firewall) Bench tool suits are designed to verify the correctness and measure the performance of WAF.

Automatic WAF correctness testing can relieve developers from the heavy and tedious verifying works. There are two important factors for conducting WAF correctness testing: the testing framework and test cases.

Its a heavy tool needs more dependencies to compare with above-mentioned tools.

Link: https://microsoft.github.io/WAFBench/

KARMA - Search for leaked Emails and Passwords

Hi Everyone, In this article we going to introduce the tool is KARMA.Its used to collect pwned Email address and passwords from pwndb. The tool is written in python3. So, you must need Python3 inside your machine . INSTALL sudo apt install tor python3 python3-pip git clone https :// github . com / decoxviii / karma . git ; cd karma sudo -H pip3 install -r requirements.txt python3 bin/karma.py --help TEST All the tests were done in Debian/Ubuntu . Search emails with the password: 123456789 python3 bin/karma.py search '123456789' --password -o test1 Search emails with the local-part: johndoe python3 bin/karma.py search 'johndoe' --local-part -o test2 Search emails with the domain: hotmail . com python3 bin/karma.py search ' hotmail . com ' --domain -o test3 Search email password: johndoe@unknown.com python3 bin/karma.py target 'johndoe@unknown.com' -o test4 DEMO VIDEO

PIRATESSHIELD

Search This Blog