Search...

Gotestwaf - Go Test WAF Is A Tool To Test Your WAF Detection Capabilities Against Different Types Of Attacks And By-Pass Techniques

2021-04-10T21:30:00

ID KITPLOIT:1954276161188912563
Type kitploit
Reporter KitPloit
Modified 2021-04-10T21:30:00

Description

An open-source Go project to test different web application firewalls (WAF) for detection logic and bypasses.

How it works

It is a 3-steps requests generation process that multiply amount of payloads to encoders and placeholders. Let's say you defined 2 payloads, 3 encoders (Base64, JSON, and URLencode) and 1 placeholder (HTTP GET variable). In this case, the tool will send 2x3x1 = 6 requests in a testcase.

Payload

The payload string you wanna send. Like <script>alert(111)</script> or something more sophisticated. There is no macroses like so far, but it's in our TODO list. Since it's a YAML string, use binary encoding if you wanna to https://yaml.org/type/binary.html

Encoder

Data encoder the tool should apply to the payload. Base64, JSON unicode (\u0027 instead of '), etc.

Placeholder

A place inside HTTP request where encoded payload should be. Like URL parameter, URI, POST form parameter, or JSON POST body.

Quick start

Dockerhub

The latest gotestwaf always available via the dockerhub repository: https://hub.docker.com/r/wallarm/gotestwaf
It can be easily pulled via the following command:

docker pull wallarm/gotestwaf

Local Docker build

docker build . --force-rm -t gotestwaf  
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=https://the-waf-you-wanna-test/

Find the report file waf-test-report-<date>.pdf in the reports folder that you mapped to /go/src/gotestwaf/reports inside the container.

Build

Gotestwaf supports all the popular platforms (Linux, Windows, macOS), and can be built natively if Go is installed in the system.

go build -mod vendor

Examples

Testing on OWASP ModSecurity Core Rule Set

Build & run ModSecurity CRS docker image

You can pull, build and run ModSecurity CRS docker image automatically:

make modsec

Or manually with your configuration flags to test:

docker pull owasp/modsecurity-crs  
docker run -p 8080:80 -d -e PARANOIA=1 --rm owasp/modsecurity-crs

You may choose the PARANOIA level to increase the level of security.
Learn more https://coreruleset.org/faq/

Run gotestwaf

If you want to test the functionality on the running ModSecurity CRS docker container, you can use the following commands:

make scan_local               (to run natively)  
make scan_local_from_docker   (to run from docker)

Or manually from docker:

docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network="host" gotestwaf --url=http://127.0.0.1:8080/ --verbose

And manually with go run (natively):

go run ./cmd --url=http://127.0.0.1:8080/ --verbose

Run gotestwaf with WebSocket check

You can additionally set the WebSocket URL to check via the wsURL flag and verbose flag to include more information about the checking process:

docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=http://172.17.0.1:8080/ --wsURL=ws://172.17.0.1:8080/api/ws --verbose

Check results

GOTESTWAF : 2021/03/03 15:15:48.072331 main.go:61: Test cases loading started  
GOTESTWAF : 2021/03/03 15:15:48.077093 main.go:68: Test cases loading finished  
GOTESTWAF : 2021/03/03 15:15:48.077123 main.go:74: Scanned URL: http://127.0.0.1:8080/  
GOTESTWAF : 2021/03/03 15:15:48.083134 main.go:85: WAF pre-check: OK. Blocking status code: 403  
GOTESTWAF : 2021/03/03 15:15:48.083179 main.go:97: WebSocket pre-check. URL to check: ws://127.0.0.1:8080/  
GOTESTWAF : 2021/03/03 15:15:48.251824 main.go:101: WebSocket pre-check: connection is not available, reason: websocket: bad handshake  
GOTESTWAF : 2021/03/03 15:15:48.252047 main.go:129: Scanning http://127.0.0.1:8080/  
GOTESTWAF : 2021/03/03 15:15:48.252076 scanner.go:124: Scanning started  
GOTESTWAF : 2021/03/03 15:15:51.210216 scanner.go:129: Scanning Time:  2.958076338s  
GOTESTWAF : 2021/03/03 15:15:51.210235 scanner.go:160: Scanning finished

Negative Tests:  
+-----------------------+--   ---------------------+-----------------------+-----------------------+-----------------------+-----------------------+  
|       TEST SET        |       TEST CASE       |     PERCENTAGE, %     |        BLOCKED        |       BYPASSED        |      UNRESOLVED       |  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+  
| community             | community-lfi         |                 66.67 |                     4 |                     2 |                     0 |  
| community             | community-rce         |                 14.29 |                     6 |                    36 |                     0 |  
| community             | community-sqli        |                 70.83 |                    34 |                    14 |                     0 |  
| community             | community-xss         |                 91.78 |                   279 |                    25 |                        0 |  
| community             | community-xxe         |                100.00 |                     4 |                     0 |                     0 |  
| owasp                 | ldap-injection        |                  0.00 |                     0 |                     8 |                     0 |  
| owasp                 | mail-injection        |                  0.00 |                     0 |                     6 |                     6 |  
| owasp                 | nosql-injection       |                  0.00 |                     0 |                    12 |                     6 |  
| owasp                 | path-traversal        |                 38.89 |                     7 |                    11 |                     6 |  
| owasp                 | shell-injection       |                 37.50 |                     3 |                     5 |                     0 |  
| owasp                 | sql-injection         |                 33.33    |                     8 |                    16 |                     8 |  
| owasp                 | ss-include            |                 50.00 |                     5 |                     5 |                    10 |  
| owasp                 | sst-injection         |                 45.45 |                     5 |                     6 |                     9 |  
| owasp                 | xml-injection         |                100.00 |                    12 |                     0 |                     0 |  
| owasp                 | xss-scripting         |                 56.25 |                     9 |                     7 |                    12 |  
| owasp-api             | graphql               |                100.00 |                     1 |                     0 |                     0 |  
| owasp-api             | rest                  |                100.00 |                     2 |                     0 |                     0 |  
| owasp-api                | soap                  |                100.00 |                     2 |                     0 |                     0 |  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+  
|         DATE:         |       WAF NAME:       |  WAF AVERAGE SCORE:   |  BLOCKED (RESOLVED):  | BYPASSED (RESOLVED):  |      UNRESOLVED:      |  
|      2021-03-03       |        GENERIC        |        55.83%         |   381/534 (71.35%)    |   153/534 (28.65%)    |    57/591 (9.64%)     |  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+

Positive Tests:  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+  
|       TEST SET        |       TEST CASE       |     PERCENTAGE, %     |        BLOCKED           |       BYPASSED        |      UNRESOLVED       |  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+  
| false-pos             | texts                 |                 50.00 |                     1 |                     1 |                     6 |  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+  
|         DATE:         |       WAF NAME:       |  WAF POSITIVE SCORE:  | FALSE POSITIVE (RES): | TRUE POSITIVE (RES):  |      UNRESOLVED:      |  
|      2021-03-03       |        GENERIC        |        50.00%         |     1/2 (50.00%)      |     1/2 (50.00%)      |     6/8 (75.00%)      |  
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+

PDF report is ready: reports/waf   -evaluation-report-generic-2021-March-03-15-15-51.pdf

Configuration options

Usage of /go/src/gotestwaf/gotestwaf:  
      --blockRegex string      Regex to detect a blocking page with the same HTTP response status code as a not blocked request  
      --blockStatusCode int    HTTP status code that WAF uses while blocking requests (default 403)  
      --configPath string      Path to the config file (default "config.yaml")  
      --followCookies          If true, use cookies sent by the server. May work only with --maxIdleConns=1  
      --idleConnTimeout int    The maximum amount of time a keep-alive connection will live (default 2)  
      --maxIdleConns int       The maximum number of keep-alive connections (default 2)  
      --maxRedirects int       The maximum number of handling redirects (default 50)  
      --nonBlockedAsPassed     If true, count requests that weren't blocked as passed. If false, requests that don't satisfy to PassStatuscode/PassRegExp as blocked  
      --passRegex string       Regex to a detect normal    (not blocked) web page with the same HTTP status code as a blocked request  
      --passStatusCode int     HTTP response status code that WAF uses while passing requests (default 200)  
      --proxy string           Proxy URL to use  
      --randomDelay int        Random delay in ms in addition to the delay between requests (default 400)  
      --reportPath string      A directory to store reports (default "reports")  
      --sendDelay int          Delay in ms between requests (default 400)  
      --testCase string        If set then only this test case will be run  
      --testCasesPath string   Path to a folder with test cases (default "testcases")  
      --testSet string         If set then only this test set's cases will be run  
      --tlsVerify              If true, the received TLS certificate will be verified  
      --url string             URL to check (default "http://localhost/")  
      --verbose                If true, enable verbose logg   ing (default true)  
      --wafName string         Name of the WAF product (default "generic")  
      --workers int            The number of workers to scan (default 200)  
      --wsURL string           WebSocket URL to check

Download Gotestwaf

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:1954276161188912563", "bulletinFamily": "tools", "title": "Gotestwaf - Go Test WAF Is A Tool To Test Your WAF Detection Capabilities Against Different Types Of Attacks And By-Pass Techniques", "description": "[ ![](https://1.bp.blogspot.com/-IS-KjsU9_Dw/YGvfwt_E4HI/AAAAAAAAV0g/8KZMklbQUTgVwTfCA8-Fzr5SdVl6gmlpgCNcBGAsYHQ/w640-h344/waf.png) ](<https://1.bp.blogspot.com/-IS-KjsU9_Dw/YGvfwt_E4HI/AAAAAAAAV0g/8KZMklbQUTgVwTfCA8-Fzr5SdVl6gmlpgCNcBGAsYHQ/s734/waf.png>)\n\n \n\n\nAn open-source Go project to test different web application [ firewalls ](<https://www.kitploit.com/search/label/Firewalls> \"firewalls\" ) (WAF) for detection logic and bypasses. \n\n \n\n\n** How it works ** \n\n\nIt is a 3-steps requests generation process that multiply amount of payloads to encoders and placeholders. Let's say you defined 2 payloads, 3 encoders (Base64, JSON, and URLencode) and 1 placeholder (HTTP GET variable). In this case, the tool will send 2x3x1 = 6 requests in a testcase. \n\n \n** Payload ** \n\n\nThe payload string you wanna send. Like ` <script>alert(111)</script> ` or something more sophisticated. There is no macroses like so far, but it's in our TODO list. Since it's a YAML string, use binary encoding if you wanna to [ https://yaml.org/type/binary.html ](<https://yaml.org/type/binary.html> \"https://yaml.org/type/binary.html\" )\n\n \n** Encoder ** \n\n\nData encoder the tool should apply to the payload. Base64, JSON unicode (\\u0027 instead of '), etc. \n\n \n** Placeholder ** \n\n\nA place inside HTTP request where encoded payload should be. Like URL parameter, URI, POST form parameter, or JSON POST body. \n\n \n** Quick start ** \n \n** Dockerhub ** \n\n\nThe latest gotestwaf always available via the [ dockerhub ](<https://www.kitploit.com/search/label/Dockerhub> \"dockerhub\" ) repository: [ https://hub.docker.com/r/wallarm/gotestwaf ](<https://hub.docker.com/r/wallarm/gotestwaf> \"https://hub.docker.com/r/wallarm/gotestwaf\" ) \nIt can be easily pulled via the following command: \n \n \n docker pull wallarm/gotestwaf \n \n\n \n** Local Docker build ** \n\n \n \n docker build . --force-rm -t gotestwaf \n docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=https://the-waf-you-wanna-test/ \n \n\nFind the report file ` waf-test-report-<date>.pdf ` in the ` reports ` folder that you mapped to ` /go/src/gotestwaf/reports ` inside the container. \n\n \n** Build ** \n\n\nGotestwaf supports all the popular platforms (Linux, Windows, macOS), and can be built natively if Go is installed in the system. \n \n \n go build -mod vendor \n \n\n \n** Examples ** \n \n** Testing on [ OWASP ModSecurity ](<https://www.kitploit.com/search/label/OWASP%20ModSecurity> \"OWASP ModSecurity\" ) Core Rule Set ** \n \n** Build & run [ ModSecurity ](<https://www.kitploit.com/search/label/ModSecurity> \"ModSecurity\" ) CRS docker image ** \n\n\nYou can pull, build and run ModSecurity CRS docker image automatically: \n \n \n make modsec \n \n\nOr manually with your configuration flags to test: \n \n \n docker pull owasp/modsecurity-crs \n docker run -p 8080:80 -d -e PARANOIA=1 --rm owasp/modsecurity-crs \n \n\nYou may choose the PARANOIA level to increase the level of security. \nLearn more [ https://coreruleset.org/faq/ ](<https://coreruleset.org/faq/> \"https://coreruleset.org/faq/\" )\n\n \n** Run gotestwaf ** \n\n\nIf you want to test the functionality on the running ModSecurity CRS docker container, you can use the following commands: \n \n \n make scan_local (to run natively) \n make scan_local_from_docker (to run from docker) \n \n\nOr manually from docker: \n \n \n docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network=\"host\" gotestwaf --url=http://127.0.0.1:8080/ --verbose \n \n\nAnd manually with ` go run ` (natively): \n \n \n go run ./cmd --url=http://127.0.0.1:8080/ --verbose \n \n\n \n** Run gotestwaf with [ WebSocket ](<https://www.kitploit.com/search/label/WebSocket> \"WebSocket\" ) check ** \n\n\nYou can additionally set the WebSocket URL to check via the ` wsURL ` flag and ` verbose ` flag to include more information about the checking process: \n \n \n docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=http://172.17.0.1:8080/ --wsURL=ws://172.17.0.1:8080/api/ws --verbose \n \n\n \n** Check results ** \n\n \n \n GOTESTWAF : 2021/03/03 15:15:48.072331 main.go:61: Test cases loading started \n GOTESTWAF : 2021/03/03 15:15:48.077093 main.go:68: Test cases loading finished \n GOTESTWAF : 2021/03/03 15:15:48.077123 main.go:74: Scanned URL: http://127.0.0.1:8080/ \n GOTESTWAF : 2021/03/03 15:15:48.083134 main.go:85: WAF pre-check: OK. Blocking status code: 403 \n GOTESTWAF : 2021/03/03 15:15:48.083179 main.go:97: WebSocket pre-check. URL to check: ws://127.0.0.1:8080/ \n GOTESTWAF : 2021/03/03 15:15:48.251824 main.go:101: WebSocket pre-check: connection is not available, reason: websocket: bad handshake \n GOTESTWAF : 2021/03/03 15:15:48.252047 main.go:129: Scanning http://127.0.0.1:8080/ \n GOTESTWAF : 2021/03/03 15:15:48.252076 scanner.go:124: Scanning started \n GOTESTWAF : 2021/03/03 15:15:51.210216 scanner.go:129: Scanning Time: 2.958076338s \n GOTESTWAF : 2021/03/03 15:15:51.210235 scanner.go:160: Scanning finished \n \n Negative Tests: \n +-----------------------+-- ---------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n | TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED | \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n | community | community-lfi | 66.67 | 4 | 2 | 0 | \n | community | community-rce | 14.29 | 6 | 36 | 0 | \n | community | community-sqli | 70.83 | 34 | 14 | 0 | \n | community | community-xss | 91.78 | 279 | 25 | 0 | \n | community | community-xxe | 100.00 | 4 | 0 | 0 | \n | owasp | ldap-injection | 0.00 | 0 | 8 | 0 | \n | owasp | mail-injection | 0.00 | 0 | 6 | 6 | \n | owasp | nosql-injection | 0.00 | 0 | 12 | 6 | \n | owasp | path-traversal | 38.89 | 7 | 11 | 6 | \n | owasp | shell-injection | 37.50 | 3 | 5 | 0 | \n | owasp | sql-injection | 33.33 | 8 | 16 | 8 | \n | owasp | ss-include | 50.00 | 5 | 5 | 10 | \n | owasp | sst-injection | 45.45 | 5 | 6 | 9 | \n | owasp | xml-injection | 100.00 | 12 | 0 | 0 | \n | owasp | xss-scripting | 56.25 | 9 | 7 | 12 | \n | owasp-api | graphql | 100.00 | 1 | 0 | 0 | \n | owasp-api | rest | 100.00 | 2 | 0 | 0 | \n | owasp-api | soap | 100.00 | 2 | 0 | 0 | \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n | DATE: | WAF NAME: | WAF AVERAGE SCORE: | BLOCKED (RESOLVED): | BYPASSED (RESOLVED): | UNRESOLVED: | \n | 2021-03-03 | GENERIC | 55.83% | 381/534 (71.35%) | 153/534 (28.65%) | 57/591 (9.64%) | \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n \n Positive Tests: \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n | TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED | \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n | false-pos | texts | 50.00 | 1 | 1 | 6 | \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n | DATE: | WAF NAME: | WAF POSITIVE SCORE: | FALSE POSITIVE (RES): | TRUE POSITIVE (RES): | UNRESOLVED: | \n | 2021-03-03 | GENERIC | 50.00% | 1/2 (50.00%) | 1/2 (50.00%) | 6/8 (75.00%) | \n +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ \n \n PDF report is ready: reports/waf -evaluation-report-generic-2021-March-03-15-15-51.pdf \n \n\n* * *\n\n \n** Configuration options ** \n\n \n \n Usage of /go/src/gotestwaf/gotestwaf: \n --blockRegex string Regex to detect a blocking page with the same HTTP response status code as a not blocked request \n --blockStatusCode int HTTP status code that WAF uses while blocking requests (default 403) \n --configPath string Path to the config file (default \"config.yaml\") \n --followCookies If true, use cookies sent by the server. May work only with --maxIdleConns=1 \n --idleConnTimeout int The maximum amount of time a keep-alive connection will live (default 2) \n --maxIdleConns int The maximum number of keep-alive connections (default 2) \n --maxRedirects int The maximum number of handling redirects (default 50) \n --nonBlockedAsPassed If true, count requests that weren't blocked as passed. If false, requests that don't satisfy to PassStatuscode/PassRegExp as blocked \n --passRegex string Regex to a detect normal (not blocked) web page with the same HTTP status code as a blocked request \n --passStatusCode int HTTP response status code that WAF uses while passing requests (default 200) \n --proxy string Proxy URL to use \n --randomDelay int Random delay in ms in addition to the delay between requests (default 400) \n --reportPath string A directory to store reports (default \"reports\") \n --sendDelay int Delay in ms between requests (default 400) \n --testCase string If set then only this test case will be run \n --testCasesPath string Path to a folder with test cases (default \"testcases\") \n --testSet string If set then only this test set's cases will be run \n --tlsVerify If true, the received TLS certificate will be verified \n --url string URL to check (default \"http://localhost/\") \n --verbose If true, enable verbose logg ing (default true) \n --wafName string Name of the WAF product (default \"generic\") \n --workers int The number of workers to scan (default 200) \n --wsURL string WebSocket URL to check \n \n\n \n \n\n\n** [ Download Gotestwaf ](<https://github.com/wallarm/gotestwaf> \"Download Gotestwaf\" ) **\n", "published": "2021-04-10T21:30:00", "modified": "2021-04-10T21:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.kitploit.com/2021/04/gotestwaf-go-test-waf-is-tool-to-test.html", "reporter": "KitPloit", "references": ["https://github.com/wallarm/gotestwaf"], "cvelist": [], "immutableFields": [], "type": "kitploit", "lastseen": "2021-04-10T23:13:24", "edition": 1, "viewCount": 224, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-10T23:13:24", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-04-10T23:13:24", "rev": 2}, "vulnersScore": 0.2}, "toolHref": "https://github.com/wallarm/gotestwaf"}