您好,登錄后才能下訂單哦!
這篇文章主要講解了“怎么用Gotestwaf測(cè)試你的WAF檢測(cè)能力”,文中的講解內(nèi)容簡(jiǎn)單清晰,易于學(xué)習(xí)與理解,下面請(qǐng)大家跟著小編的思路慢慢深入,一起來(lái)研究和學(xué)習(xí)“怎么用Gotestwaf測(cè)試你的WAF檢測(cè)能力”吧!
Gotestwaf,全稱為Go Test WAF,該工具可以使用不同類型的攻擊技術(shù)和繞過(guò)技術(shù)來(lái)測(cè)試你Web應(yīng)用程序防火墻的檢測(cè)能力。Gotestwaf是一個(gè)基于Go開發(fā)的開源項(xiàng)目,它實(shí)現(xiàn)了一種三步請(qǐng)求生成過(guò)程,可以對(duì)編碼器和占位符的Payload進(jìn)行相乘操作。假設(shè)你定義了2個(gè)Payload、3個(gè)編碼器(Base64、JSON和URLencode)和1個(gè)占位符(HTTP GET變量)。在這種情況下,Gotestwaf將在測(cè)試用例中發(fā)送2*3*1=6個(gè)請(qǐng)求。
你可以發(fā)送的Payload字符串,支持比如說(shuō)<script>alert(111)</script>或其他更復(fù)雜的東西。當(dāng)前版本的Gotestwaf還不支持類似宏這樣的功能,但我們之后會(huì)添加相關(guān)支持。由于這是一個(gè)YAML字符串,因此你還可以使用二進(jìn)制編碼,具體請(qǐng)參考https://yaml.org/type/binary.html。
數(shù)據(jù)編碼器工具應(yīng)適用于Payload,支持Base64和JSON Unicode編碼(\u0027代替’)等。
占位符位于HTTP請(qǐng)求中,用于存放已編碼的Payload。比如說(shuō)URL參數(shù)、URI、POST表單參數(shù)或JSON POST主體。
最新版本的Gotestwaf可以通過(guò)DockerHub庫(kù)直接獲?。篽ttps://hub.docker.com/r/wallarm/gotestwaf。
我們可以直接使用下列命令將項(xiàng)目庫(kù)拉取到本地:
docker pull wallarm/gotestwaf
docker build . --force-rm -t gotestwaf docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=https://the-waf-you-wanna-test/
運(yùn)行命令之后,你將會(huì)在reports文件夾下查看到waf-test-report-<date>.pdf報(bào)告文件,你也可以將其映射到容器中的/go/src/gotestwaf/reports處。
Gotestwaf支持在目前常見(jiàn)的操作系統(tǒng)平臺(tái)上運(yùn)行,包括Linux、Windows和macOS,我們可以直接在安裝了Go環(huán)境的系統(tǒng)上進(jìn)行源碼編譯和構(gòu)建:
go build -mod vendor
Usage of /go/src/gotestwaf/gotestwaf: --blockRegex string Regex to detect a blocking page with the same HTTP response status code as a not blocked request --blockStatusCode int HTTP status code that WAF uses while blocking requests (default 403) --configPath string Path to the config file (default "config.yaml") --followCookies If true, use cookies sent by the server. May work only with --maxIdleConns=1 --idleConnTimeout int The maximum amount of time a keep-alive connection will live (default 2) --maxIdleConns int The maximum number of keep-alive connections (default 2) --maxRedirects int The maximum number of handling redirects (default 50) --nonBlockedAsPassed If true, count requests that weren't blocked as passed. If false, requests that don't satisfy to PassStatuscode/PassRegExp as blocked --passRegex string Regex to a detect normal (not blocked) web page with the same HTTP status code as a blocked request --passStatusCode int HTTP response status code that WAF uses while passing requests (default 200) --proxy string Proxy URL to use --randomDelay int Random delay in ms in addition to the delay between requests (default 400) --reportPath string A directory to store reports (default "reports") --sendDelay int Delay in ms between requests (default 400) --testCase string If set then only this test case will be run --testCasesPath string Path to a folder with test cases (default "testcases") --testSet string If set then only this test set's cases will be run --tlsVerify If true, the received TLS certificate will be verified --url string URL to check (default "http://localhost/") --verbose If true, enable verbose logging (default true) --wafName string Name of the WAF product (default "generic") --workers int The number of workers to scan (default 200) --wsURL string WebSocket URL to check
首先,我們需要構(gòu)建&運(yùn)行ModSecurity CRS Docker鏡像。我們可以使用下列命令自動(dòng)拉取、構(gòu)建和運(yùn)行ModSecurity CRS Docker鏡像:
make modsec
或者,你也可以手動(dòng)配置參數(shù)并進(jìn)行測(cè)試:
docker pull owasp/modsecurity-crs docker run -p 8080:80 -d -e PARANOIA=1 --rm owasp/modsecurity-crs
你還可以選擇PARANOIA等級(jí)來(lái)提升測(cè)試的安全等級(jí),具體請(qǐng)參考https://coreruleset.org/faq/。
接下來(lái),我們需要使用下列命令來(lái)對(duì)ModSecurity CRS Docker鏡像的安全性進(jìn)行測(cè)試:
make scan_local (to run natively) make scan_local_from_docker (to run from docker)
或者,在Docker中手動(dòng)執(zhí)行:
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network="host" gotestwaf --url=http://127.0.0.1:8080/ --verbose
或者,使用下列命令手動(dòng)運(yùn)行測(cè)試(本地):
go run ./cmd --url=http://127.0.0.1:8080/ --verbose
我們還可以通過(guò)wsURL和verbose參數(shù)來(lái)添加額外的WebSocket URL檢測(cè),其中會(huì)包含目標(biāo)進(jìn)程的詳細(xì)信息:
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=http://172.17.0.1:8080/ --wsURL=ws://172.17.0.1:8080/api/ws --verbose
Gotestwaf的檢測(cè)結(jié)果輸出如下:
GOTESTWAF : 2021/03/03 15:15:48.072331 main.go:61: Test cases loading started GOTESTWAF : 2021/03/03 15:15:48.077093 main.go:68: Test cases loading finished GOTESTWAF : 2021/03/03 15:15:48.077123 main.go:74: Scanned URL: http://127.0.0.1:8080/ GOTESTWAF : 2021/03/03 15:15:48.083134 main.go:85: WAF pre-check: OK. Blocking status code: 403 GOTESTWAF : 2021/03/03 15:15:48.083179 main.go:97: WebSocket pre-check. URL to check: ws://127.0.0.1:8080/ GOTESTWAF : 2021/03/03 15:15:48.251824 main.go:101: WebSocket pre-check: connection is not available, reason: websocket: bad handshake GOTESTWAF : 2021/03/03 15:15:48.252047 main.go:129: Scanning http://127.0.0.1:8080/ GOTESTWAF : 2021/03/03 15:15:48.252076 scanner.go:124: Scanning started GOTESTWAF : 2021/03/03 15:15:51.210216 scanner.go:129: Scanning Time: 2.958076338s GOTESTWAF : 2021/03/03 15:15:51.210235 scanner.go:160: Scanning finished Negative Tests: +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ | TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED | +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ | community | community-lfi | 66.67 | 4 | 2 | 0 | | community | community-rce | 14.29 | 6 | 36 | 0 | | community | community-sqli | 70.83 | 34 | 14 | 0 | | community | community-xss | 91.78 | 279 | 25 | 0 | | community | community-xxe | 100.00 | 4 | 0 | 0 | | owasp | ldap-injection | 0.00 | 0 | 8 | 0 | | owasp | mail-injection | 0.00 | 0 | 6 | 6 | | owasp | nosql-injection | 0.00 | 0 | 12 | 6 | | owasp | path-traversal | 38.89 | 7 | 11 | 6 | | owasp | shell-injection | 37.50 | 3 | 5 | 0 | | owasp | sql-injection | 33.33 | 8 | 16 | 8 | | owasp | ss-include | 50.00 | 5 | 5 | 10 | | owasp | sst-injection | 45.45 | 5 | 6 | 9 | | owasp | xml-injection | 100.00 | 12 | 0 | 0 | | owasp | xss-scripting | 56.25 | 9 | 7 | 12 | | owasp-api | graphql | 100.00 | 1 | 0 | 0 | | owasp-api | rest | 100.00 | 2 | 0 | 0 | | owasp-api | soap | 100.00 | 2 | 0 | 0 | +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ | DATE: | WAF NAME: | WAF AVERAGE SCORE: | BLOCKED (RESOLVED): | BYPASSED (RESOLVED): | UNRESOLVED: | | 2021-03-03 | GENERIC | 55.83% | 381/534 (71.35%) | 153/534 (28.65%) | 57/591 (9.64%) | +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ Positive Tests: +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ | TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED | +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ | false-pos | texts | 50.00 | 1 | 1 | 6 | +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ | DATE: | WAF NAME: | WAF POSITIVE SCORE: | FALSE POSITIVE (RES): | TRUE POSITIVE (RES): | UNRESOLVED: | | 2021-03-03 | GENERIC | 50.00% | 1/2 (50.00%) | 1/2 (50.00%) | 6/8 (75.00%) | +-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+ PDF report is ready: reports/waf-evaluation-report-generic-2021-March-03-15-15-51.pdf
Gotestwaf:https://github.com/wallarm/gotestwaf
感謝各位的閱讀,以上就是“怎么用Gotestwaf測(cè)試你的WAF檢測(cè)能力”的內(nèi)容了,經(jīng)過(guò)本文的學(xué)習(xí)后,相信大家對(duì)怎么用Gotestwaf測(cè)試你的WAF檢測(cè)能力這一問(wèn)題有了更深刻的體會(huì),具體使用情況還需要大家實(shí)踐驗(yàn)證。這里是億速云,小編將為大家推送更多相關(guān)知識(shí)點(diǎn)的文章,歡迎關(guān)注!
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。