[Owasp_bywaf_project] Questions on ByWaf

Nibbler nib nbblrr at gmail.com
Wed Nov 27 14:56:54 UTC 2013


Hi,

I've heard about ByWaf through the OWASP mailing list and I would have few
comments/questions.
Basically, I don't see the objective of the tool. All the presentations are
focused on the interface and on the plugins, but it's only secondary for a
security tool, we need to have first a useful tool with feature needed to
test/bypass WAF.
To my knowledge, only plugins can be used in byWaf and even if it's usefull
to implement new functions, it would be really interesting to have
default/basic feature for WAF testing.

Among those features, I identify the following :
-launch easily a web request (define the target and options for the
request, modify only the requested url and launch)
-define when the WAF block the request to reduce the request answer printed
(instead of the content, just BLOCKED / PASSED)
-test for basic WAF rules (SQL keywords) or more advanced (see research
there : https://github.com/ironbee/waf-research )
-include specific script for tampering request and bypass the WAF (similar
to sqlmap tampering scripts). Perhaps it can be done through plugins with
specific options
-consider bypassing WAF for different attacks (XSS, SQLi...) and adapt
tests depending on this

Have I missed something in my quick test? What do you think?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_bywaf_project/attachments/20131127/7c602de1/attachment.html>


More information about the Owasp_bywaf_project mailing list