怎么用Gotestwaf測試你的WAF檢測能力
發(fā)布時(shí)間:2021-09-14 11:25
來(lái)源:億速云
閱讀:0
作者:chen
欄目: 網(wǎng)絡(luò )安全
這篇文章主要講解了“怎么用Gotestwaf測試你的WAF檢測能力”�,文中的講解內容簡(jiǎn)單清晰���,易于學(xué)習與理解�,下面請大家跟著(zhù)小編的思路慢慢深入��,一起來(lái)研究和學(xué)習“怎么用Gotestwaf測試你的WAF檢測能力”吧�!
關(guān)于Gotestwaf
Gotestwaf����,全稱(chēng)為Go Test WAF����,該工具可以使用不同類(lèi)型的攻擊技術(shù)和繞過(guò)技術(shù)來(lái)測試你Web應用程序防火墻的檢測能力����。Gotestwaf是一個(gè)基于Go開(kāi)發(fā)的開(kāi)源項目����,它實(shí)現了一種三步請求生成過(guò)程��,可以對編碼器和占位符的Payload進(jìn)行相乘操作�。假設你定義了2個(gè)Payload�����、3個(gè)編碼器(Base64�����、JSON和URLencode)和1個(gè)占位符(HTTP GET變量)�����。在這種情況下�,Gotestwaf將在測試用例中發(fā)送2*3*1=6個(gè)請求��。
Payload
你可以發(fā)送的Payload字符串�,支持比如說(shuō)<script>alert(111)</script>或其他更復雜的東西��。當前版本的Gotestwaf還不支持類(lèi)似宏這樣的功能����,但我們之后會(huì )添加相關(guān)支持�。由于這是一個(gè)YAML字符串�����,因此你還可以使用二進(jìn)制編碼����,具體請參考https://yaml.org/type/binary.html�����。
編碼器
數據編碼器工具應適用于Payload�,支持Base64和JSON Unicode編碼(\u0027代替’)等���。
占位符
占位符位于HTTP請求中���,用于存放已編碼的Payload���。比如說(shuō)URL參數�、URI���、POST表單參數或JSON POST主體����。
工具安裝
DockerHub
最新版本的Gotestwaf可以通過(guò)DockerHub庫直接獲?���。篽ttps://hub.docker.com/r/wallarm/gotestwaf���。
我們可以直接使用下列命令將項目庫拉取到本地:
docker pull wallarm/gotestwaf
本地Docker構建
docker build . --force-rm -t gotestwaf
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=https://the-waf-you-wanna-test/運行命令之后�����,你將會(huì )在reports文件夾下查看到waf-test-report-<date>.pdf報告文件�����,你也可以將其映射到容器中的/go/src/gotestwaf/reports處����。
代碼構建
Gotestwaf支持在目前常見(jiàn)的操作系統平臺上運行���,包括Linux����、Windows和macOS����,我們可以直接在安裝了Go環(huán)境的系統上進(jìn)行源碼編譯和構建:
go build -mod vendor
工具配置選項
Usage of /go/src/gotestwaf/gotestwaf:
--blockRegex string Regex to detect a blocking page with the same HTTP response status code as a not blocked request
--blockStatusCode int HTTP status code that WAF uses while blocking requests (default 403)
--configPath string Path to the config file (default "config.yaml")
--followCookies If true, use cookies sent by the server. May work only with --maxIdleConns=1
--idleConnTimeout int The maximum amount of time a keep-alive connection will live (default 2)
--maxIdleConns int The maximum number of keep-alive connections (default 2)
--maxRedirects int The maximum number of handling redirects (default 50)
--nonBlockedAsPassed If true, count requests that weren't blocked as passed. If false, requests that don't satisfy to PassStatuscode/PassRegExp as blocked
--passRegex string Regex to a detect normal (not blocked) web page with the same HTTP status code as a blocked request
--passStatusCode int HTTP response status code that WAF uses while passing requests (default 200)
--proxy string Proxy URL to use
--randomDelay int Random delay in ms in addition to the delay between requests (default 400)
--reportPath string A directory to store reports (default "reports")
--sendDelay int Delay in ms between requests (default 400)
--testCase string If set then only this test case will be run
--testCasesPath string Path to a folder with test cases (default "testcases")
--testSet string If set then only this test set's cases will be run
--tlsVerify If true, the received TLS certificate will be verified
--url string URL to check (default "http://localhost/")
--verbose If true, enable verbose logging (default true)
--wafName string Name of the WAF product (default "generic")
--workers int The number of workers to scan (default 200)
--wsURL string WebSocket URL to check
工具使用樣例
測試OWASP ModSecurity核心規則集(CRS)
首先�����,我們需要構建&運行ModSecurity CRS Docker鏡像��。我們可以使用下列命令自動(dòng)拉取����、構建和運行ModSecurity CRS Docker鏡像:
make modsec
或者�����,你也可以手動(dòng)配置參數并進(jìn)行測試:
docker pull owasp/modsecurity-crs
docker run -p 8080:80 -d -e PARANOIA=1 --rm owasp/modsecurity-crs
你還可以選擇PARANOIA等級來(lái)提升測試的安全等級�,具體請參考https://coreruleset.org/faq/�。
接下來(lái)����,我們需要使用下列命令來(lái)對ModSecurity CRS Docker鏡像的安全性進(jìn)行測試:
make scan_local (to run natively)
make scan_local_from_docker (to run from docker)
或者��,在Docker中手動(dòng)執行:
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network="host" gotestwaf --url=http://127.0.0.1:8080/ --verbose或者����,使用下列命令手動(dòng)運行測試(本地):
go run ./cmd --url=http://127.0.0.1:8080/ --verbose
我們還可以通過(guò)wsURL和verbose參數來(lái)添加額外的WebSocket URL檢測���,其中會(huì )包含目標進(jìn)程的詳細信息:
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=http://172.17.0.1:8080/ --wsURL=ws://172.17.0.1:8080/api/ws --verboseGotestwaf的檢測結果輸出如下:
GOTESTWAF : 2021/03/03 15:15:48.072331 main.go:61: Test cases loading started
GOTESTWAF : 2021/03/03 15:15:48.077093 main.go:68: Test cases loading finished
GOTESTWAF : 2021/03/03 15:15:48.077123 main.go:74: Scanned URL: http://127.0.0.1:8080/
GOTESTWAF : 2021/03/03 15:15:48.083134 main.go:85: WAF pre-check: OK. Blocking status code: 403
GOTESTWAF : 2021/03/03 15:15:48.083179 main.go:97: WebSocket pre-check. URL to check: ws://127.0.0.1:8080/
GOTESTWAF : 2021/03/03 15:15:48.251824 main.go:101: WebSocket pre-check: connection is not available, reason: websocket: bad handshake
GOTESTWAF : 2021/03/03 15:15:48.252047 main.go:129: Scanning http://127.0.0.1:8080/
GOTESTWAF : 2021/03/03 15:15:48.252076 scanner.go:124: Scanning started
GOTESTWAF : 2021/03/03 15:15:51.210216 scanner.go:129: Scanning Time: 2.958076338s
GOTESTWAF : 2021/03/03 15:15:51.210235 scanner.go:160: Scanning finished
Negative Tests:
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| community | community-lfi | 66.67 | 4 | 2 | 0 |
| community | community-rce | 14.29 | 6 | 36 | 0 |
| community | community-sqli | 70.83 | 34 | 14 | 0 |
| community | community-xss | 91.78 | 279 | 25 | 0 |
| community | community-xxe | 100.00 | 4 | 0 | 0 |
| owasp | ldap-injection | 0.00 | 0 | 8 | 0 |
| owasp | mail-injection | 0.00 | 0 | 6 | 6 |
| owasp | -injection | 0.00 | 0 | 12 | 6 |
| owasp | path-traversal | 38.89 | 7 | 11 | 6 |
| owasp | shell-injection | 37.50 | 3 | 5 | 0 |
| owasp | sql-injection | 33.33 | 8 | 16 | 8 |
| owasp | ss-include | 50.00 | 5 | 5 | 10 |
| owasp | sst-injection | 45.45 | 5 | 6 | 9 |
| owasp | xml-injection | 100.00 | 12 | 0 | 0 |
| owasp | xss-scripting | 56.25 | 9 | 7 | 12 |
| owasp-api | graphql | 100.00 | 1 | 0 | 0 |
| owasp-api | rest | 100.00 | 2 | 0 | 0 |
| owasp-api | soap | 100.00 | 2 | 0 | 0 |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| DATE: | WAF NAME: | WAF AVERAGE SCORE: | BLOCKED (RESOLVED): | BYPASSED (RESOLVED): | UNRESOLVED: |
| 2021-03-03 | GENERIC | 55.83% | 381/534 (71.35%) | 153/534 (28.65%) | 57/591 (9.64%) |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
Positive Tests:
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| false-pos | texts | 50.00 | 1 | 1 | 6 |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| DATE: | WAF NAME: | WAF POSITIVE SCORE: | FALSE POSITIVE (RES): | TRUE POSITIVE (RES): | UNRESOLVED: |
| 2021-03-03 | GENERIC | 50.00% | 1/2 (50.00%) | 1/2 (50.00%) | 6/8 (75.00%) |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
PDF report is ready: reports/waf-evaluation-report-generic-2021-March-03-15-15-51.pdf
項目地址
Gotestwaf:https://github.com/wallarm/gotestwaf
