1. 關于Gotestwaf
Gotestwaf,全稱為Go Test WAF,是一種用于 API 和 OWASP 攻擊模擬的工具,可以用于檢測率測驗(Negative Tests)和誤報率(Positive Tests)測驗支持廣泛的 API 協議,包括 REST、GraphQL、gRPC、WebSockets、SOAP、XMLRPC 等,
用于評估 Web 應用程式安全解決方案,例如 API 安全代理、Web 應用程式防火墻、IPS、API 網關等,
專案地址:https://github.com/wallarm/gotestwaf
2.組態檔說明:
GoTestWAF 使用放置在 HTTP 請求不同部分的編碼負載生成惡意請求:其正文、標頭、URL 引數等,生成的請求被發送到 被測設備,
默認組態檔放在testcases檔案夾里的YAML檔案
yml檔案示例:
payload:
- "<body οnlοad=alert('test1')>"
- "<b οnmοuseοver=alert('Wufff!')>click me!</b>"
encoder:
- Base64Flat
- URL
placeholder:
- URLPath
- URLParam
- HTMLForm
- HTMLMultipartForm
type: "XSS"
...
payload:攻擊的惡意樣本
encoder:攻擊樣本編碼方式
支持編碼
Base64
Base64Flat(不進行等號補位)
JSUnicode
URL
Plain (保持攻擊樣本原樣)
XML Entity
gRPC
placeholder:請求位置
Header
RequestBody
JSONRequest
JSONBody
HTMLForm
HTMLMultipartForm
SOAPBody
XMLBody(只是Content-Type: text/xml,請求body不是xml格式,需要在payload里定義xml攻擊樣本,encode用Plain )
URLParam
URLPath
請求生成是一個三步程序,涉及將payload個數乘以encoder和placeholder數量,假設定義了 2 個payload、3 個encoder(Base64、JSUnicode 和 URL)和 1 個placeholder(URLParameter - HTTP GET 引數),在這種情況下,GoTestWAF 將在測驗用例中發送 2x3x1 = 6 個請求
3.運行:
系統要求:
GoTestWAF支持所有流行的作業系統(Linux、Windows、macOS),如果系統中安裝了Go,則可以進行本地開發,
如果將工具作為Docker容器運行,請確保您已經安裝并配置了Docker,并且GoTestWAF和評估的應用程式安全解決方案連接到同一個Docker網路,
為了成功啟動GoTestWAF,請確保運行GoTestWAF的機器的IP地址在運行應用安全解決方案的機器上被列入白名單,
通過docker運行
我們可以直使用下列命令將專案庫拉取到本地:
docker pull wallarm/gotestwaf
本地Docker構建
docker build . --force-rm -t gotestwaf
docker run -v ${PWD}/reports:/app/reports --network=“host” gotestwaf --url=<EVALUATED_SECURITY_SOLUTION_URL>
運行命令之后,你將會在reports檔案夾下查看到waf-test-report-.pdf報告檔案,可以替換${PWD}/reports為用于放置評估報告的另一個檔案夾的路徑
go環境運行
安裝go環境
https://golang.google.cn/dl/ 下載對應系統包,
下載gowaftest專案
git clone https://github.com/wallarm/gotestwaf.git
cd gotestwaf
go run ./cmd --url=<EVALUATED_SECURITY_SOLUTION_URL> --verbose
4.配置選項
–addHeader string An HTTP header to add to requests
–blockConnReset If true, connection resets will be considered as block 有些防護設備通過rest報文重置攻擊,通過這個命令
–blockRegex string Regex to detect a blocking page with the same HTTP response status code as a not blocked request 根據定義正則匹配回傳內容判斷是否攔截
–blockStatusCode int HTTP status code that WAF uses while blocking requests (default 403) 根據回傳碼判斷是否攔截
–configPath string Path to the config file (default “config.yaml”)
–followCookies If true, use cookies sent by the server. May work only with --maxIdleConns=1
–idleConnTimeout int The maximum amount of time a keep-alive connection will live (default 2)
–ignoreUnresolved If true, unresolved test cases will be considered as bypassed (affect score and results)
–maxIdleConns int The maximum number of keep-alive connections (default 2)
–maxRedirects int The maximum number of handling redirects (default 50)
–nonBlockedAsPassed If true, count requests that weren’t blocked as passed. If false, requests that don’t satisfy to PassStatuscode/PassRegExp as blocked
–passRegex string Regex to a detect normal (not blocked) web page with the same HTTP status code as a blocked request
–passStatusCode int HTTP response status code that WAF uses while passing requests (default 200)
–proxy string Proxy URL to use
–randomDelay int Random delay in ms in addition to the delay between requests (default 400)
–renderToHTML Save report as HTML page instead of PDF
–reportPath string A directory to store reports (default “reports”)
–sendDelay int Delay in ms between requests (default 400)
–skipWAFBlockCheck If true, WAF detection tests will be skipped
–testCase string If set then only this test case will be run 指定測驗的單個yaml檔案
–testCasesPath string Path to a folder with test cases (default “testcases”) 指定測驗的yaml檔案夾
–testSet string If set then only this test set’s cases will be run
–tlsVerify If true, the received TLS certificate will be verified
–url string URL to check
–verbose If true, enable verbose logging顯示詳細的運行程序,有些錯誤資訊可以帶著這個開關查看
–version Show GoTestWAF version and exit
–wafName string Name of the WAF product (default “generic”)
–workers int The number of workers to scan (default 5)
–wsURL string WebSocket URL在這里插入代碼片 to check
5.報告查看
報告檔案waf-evaluation-report-.pdf位于reports用戶目錄的檔案夾中
6.常見問題
1 main error: WAF was not detected. Please use the ‘–blockStatusCode’ or ‘–blockRegex’ flags. Use ‘–help’ for additional info.
gotestwaf測驗之前會發一個 及包括sql注入又包含xss攻擊的惡意樣本 ,如果這個沒有攔截或者回傳的錯誤碼不是默認的403會出現這個報錯,可以根據被測設備定義狀態碼,如果是通過rest斷鏈接的加上
也可以通過–skipWAFBlockCheck跳過這個檢查,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/401613.html
標籤:其他
下一篇:打開控制臺查看后臺html代碼