Ftw - Framework For Testing Wafs


This projection was created past times researchers from ModSecurity together with Fastly to help render rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 every bit a baseline to exam rules on a WAF. Each dominion from the ruleset is loaded into a YAML file that issues HTTP requests that volition trigger these rules. Users tin verify the execution of the dominion later on the tests are issued to brand certain the expected reply is received from an attack.

Goals / Use cases include:
  • Find regressions inwards WAF deployments past times using continuous integration together with issuing repeatable attacks to a WAF
  • Provide a testing framework for novel rules into ModSecurity, if a dominion is submitted it MUST accept corresponding positive & negative tests
  • Evaluate WAFs against a common, agreeable baseline ruleset (OWASP)
  • Test together with verify custom rules for WAFs that are non business office of the heart dominion set
For our 1.0 loose announcement, check out the OWASP CRS Blog

Installation
  • git clone https://github.com/CRS-support/ftw.git
  • cd ftw
  • virtualenv env && source ./env/bin/activate
  • pip install -r requirements.txt
  • py.test -s -v test/test_default.py --ruledir=test/yaml

Writing your get-go tests
The heart of FTW is it's extensible yaml based tests. This department lists a few resources on how they are formatted, how to write them together with how you lot tin purpose them.
OWASP CRS wrote a nifty blog post describing how FTW tests are written together with executed.
YAMLFormat.md is solid soil truth of all yaml fields that are currently understood past times FTW.
After reading these 2 resources, you lot should last able to larn started inwards writing tests. You volition close probable last checking against condition code responses, or spider web asking responses using the log_contains directive. For integrating FTW to exam regexes inside your WAF logs, refer to ExtendingFTW.md

Provisioning Apache+Modsecurity+OWASP CRS
If you lot ask an surroundings for testing WAF rules, in that place has been i created amongst Apache, Modsecurity together with version 3.0.0 of the OWASP heart ruleset. This tin last deployed by:
  • Checking out the repository: git clone https://github.com/fastly/waf_testbed.git
  • Typing vagrant up