FTW – Framework For Testing WAFs

FTW - Framework For Testing WAFs

This undertaking was created by researchers from ModSecurity and Fastly to assist present rigorous exams for WAF guidelines. It makes use of the OWASP Core Ruleset V3 as a baseline to check guidelines on a WAF. Each rule from the ruleset is loaded right into a YAML file that points HTTP requests that can set off these guidelines. Users can confirm the execution of the rule after the exams are issued to verify the anticipated response is acquired from an assault.

Goals / Use circumstances embody:


  • git clone https://github.com/CRS-help/ftw.git
  • cd ftw
  • virtualenv env && supply ./env/bin/activate
  • pip set up -r necessities.txt
  • py.check -s -v check/test_default.py --ruledir=check/yaml

Writing your first exams
The core of FTW is it is extensible yaml primarily based exams. This part lists just a few assets on how they’re formatted, how you can write them and the way you should utilize them.
OWASP CRS wrote an excellent blog post describing how FTW exams are written and executed.
YAMLFormat.md is floor fact of all yaml fields which can be at the moment understood by FTW.
After studying these two assets, it is best to have the ability to get began in writing exams. You will more than likely be checking towards standing code responses, or net request responses utilizing the log_contains directive. For integrating FTW to check regexes inside your WAF logs, discuss with ExtendingFTW.md

Provisioning Apache+Modsecurity+OWASP CRS
If you require an setting for testing WAF guidelines, there was one created with Apache, Modsecurity and model 3.0.Zero of the OWASP core ruleset. This might be deployed by:

  • Checking out the repository: git clone https://github.com/fastly/waf_testbed.git
  • Typing vagrant up



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.