Goals / Use circumstances embody:
- Find regressions in WAF deployments by utilizing steady integration and issuing repeatable assaults to a WAF
- Provide a testing framework for brand new guidelines into ModSecurity, if a rule is submitted it MUST have corresponding constructive & unfavourable exams
- Evaluate WAFs towards a typical, agreeable baseline ruleset (OWASP)
- Test and confirm customized guidelines for WAFs that aren’t a part of the core rule set
Installation
git clone https://github.com/CRS-help/ftw.gitcd ftwvirtualenv env && supply ./env/bin/activatepip set up -r necessities.txtpy.check -s -v check/test_default.py --ruledir=check/yaml
Writing your first exams
The core of FTW is it is extensible yaml primarily based exams. This part lists just a few assets on how they’re formatted, how you can write them and the way you should utilize them.
OWASP CRS wrote an excellent blog post describing how FTW exams are written and executed.
YAMLFormat.md is floor fact of all yaml fields which can be at the moment understood by FTW.
After studying these two assets, it is best to have the ability to get began in writing exams. You will more than likely be checking towards standing code responses, or net request responses utilizing the log_contains directive. For integrating FTW to check regexes inside your WAF logs, discuss with ExtendingFTW.md
Provisioning Apache+Modsecurity+OWASP CRS
If you require an setting for testing WAF guidelines, there was one created with Apache, Modsecurity and model 3.0.Zero of the OWASP core ruleset. This might be deployed by:
- Checking out the repository:
git clone https://github.com/fastly/waf_testbed.git - Typing
vagrant up
