Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WAF test suite #843

Open
12 tasks
krizhanovsky opened this issue Sep 17, 2017 · 1 comment
Open
12 tasks

WAF test suite #843

krizhanovsky opened this issue Sep 17, 2017 · 1 comment
Labels
enterprise security test
Milestone
1.2 - TBD

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Sep 17, 2017
edited
Loading

Need to develop a test suite, as part of current functional tests, to emulate WAF bypassing requests and Web attacks.

Analyzer + backend

One of the way, probably the simplest and featureful is to use ready vulnerability scanner/analyzer with vulnerable backend. Following analyzers, working as a malicious clients could be emplyed:

Also consider the WAF bypass collection

Backends:

Homebred tests

If the above don't test some of the security issues, then appropriate functional tests, complementing the ready analyzer/backend setup, shall be implemented.

        http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
        http://127.0.0.1:11211:80/
        http://google.com#@evil.com/
        ... and others
  • HTTP filtering proxy evasions (evade HTTP adjustment code by mangling HTTP headers in assumption that a prixy and target HTTP server process them in different way), such as insertion of extra spaces, tabs, 0x00–0x20, and so on, e.g. GET / HTTP/1.1\r\n\sHost\x4:\tfoo \r\n. The main point is if we do not block some of such manglings (i.e. it's allowed by RFC), then we must correctly perform HTTP message modifications for such headers.
@krizhanovsky krizhanovsky added this to the 1.0 WebOS milestone Sep 17, 2017
@krizhanovsky krizhanovsky modified the milestones: backlog, 1.0 Web Operating System Jan 15, 2018
@krizhanovsky krizhanovsky mentioned this issue Feb 4, 2018
Open
@krizhanovsky krizhanovsky modified the milestones: 0.5 alpha, 1.0 Tempesta OS Feb 5, 2018
@krizhanovsky krizhanovsky modified the milestones: 1.6 muti-pattern strings search, 1.1 QUIC Aug 8, 2018
@krizhanovsky krizhanovsky modified the milestones: 1.1 QUIC, 1.0 Beta Feb 2, 2019
@krizhanovsky krizhanovsky modified the milestones: 1.0 Beta, 1.1 Network performance & scalability, 1.1 TBD (Network performance & scalability), 1.1 TDB (ML, QUIC, DoH etc.) Feb 11, 2019
This was referenced Jul 4, 2019
Closed
Open
@krizhanovsky krizhanovsky modified the milestones: 0.9 - TDB, 1.2 TBD Jan 3, 2022
@krizhanovsky krizhanovsky modified the milestones: 1.1: TBD, 1.2 - TBD Jun 23, 2024
@krizhanovsky
Copy link
Contributor Author

Depends on the WAF implementation https://github.com/tempesta-tech/enterprise/issues/26 : there is no sense to run the scanners if we know that there is no implemented protections, like CSRF or CSP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enterprise security test
Projects
None yet
Milestone
1.2 - TBD
Development

No branches or pull requests
1 participant
@krizhanovsky