Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

WAF Evasion Plugin #44

Closed
msidagni opened this Issue · 17 comments

3 participants

msidagni Tasos Laskos Victor Pereira
msidagni

Create a arachni waf evasion plugin now that you already have a WAF fingerprinting plugin. It should focus on the most common WAF: modsecurity, F5, Imperva, etc.

Tasos Laskos Zapotek was assigned
Tasos Laskos
Owner

Same thing as for Issue #46, it would be cool but Arachni is a web app scanner not a WAF scanner.

So, I'm leaving this open indefinitely.

msidagni
Tasos Laskos
Owner

I disagree.
Any scan results that have been obtained while the webapp sits behind a WAF will be inaccurate, at best, which conflicts with the aim of the project.

If anyone wants to contribute such a feature-set it will be more than welcomed, in the meantime my focus stays put.

Victor Pereira

maybe we could do some URL obfuscation modules, like double encoding, etc.

Tasos Laskos
Owner

I could add the necessary hooks to the HTTP interface to make it easier for anyone who wants to implement something like that but I'm afraid that I'll have to stand by my last reply.
Obviously, anyone that who wants to develop that sort of plug-in will be having my full support but I can't spend time developing it myself.

I'll update this issue when I add the hook and a demo plug-in to show how it could work.

Victor Pereira

I can do it, since i wrote already a url obfuscation tool in ruby to help with some WAF evaluation.. should i do a pull request for this new plugin?

Tasos Laskos
Owner

Sure, I'll be pushing the stuff I mentioned in a while to give you an idea of how to intercept framework requests.

Victor Pereira

ok it is enough to implement some evasive techniques. Maybe we can talk about how to present the configuration options on the web/cli interface (like which kind of evasive technique the user want to use) or should it be boolean and for every single request when its enabled, we just try all evasive options that we implement?

Tasos Laskos
Owner

The Options have been lifted from Metasploit so if you've worked with it they should be familiar.
See for example: https://github.com/Zapotek/arachni/blob/experimental/plugins/vector_feed.rb#L217
These are the available options: https://github.com/Zapotek/arachni/blob/experimental/lib/arachni/component_options.rb

Tasos Laskos
Owner

Also, you can add obf sub-components for your plug-in, i.e. make your plug-in modular.
If that interests you I can write up a demo for that as well, it's really simple.

Victor Pereira

ok. I will first get it done then we talk about it again

Tasos Laskos
Owner

I'm guessing that the origin of the HTTP request would also be helpful to you (i.e. which component queued it) so if/when you need it let me know, it shouldn't be hard to implement.

Victor Pereira

yup. Your demo plugin is enough. I just have to clean up a backlog before (day job)

Victor Pereira

hi, I did implement three obfuscation methods, two url encoding and one about http pipeline. The main question is: what we want to test? How I do today. I get a WAF, i do configure a rule that I know that will be bocked and the I obfuscate it and try to evade the WAF. The point is, how should we do it here? See if we've got different responses for obfuscate GET and for normal GETs? any IDEA?

Tasos Laskos
Owner

Add your spec in:


Add your test server (which I'm guessing would have to emulate the WAF rules you're trying to evade) in:
```spec/servers/arachni/plugins/<name>.rb```

These folders don't exist atm because I haven't yet made it to the plugin specs.
Look around in the specs a bit to see how spec/server relationships work, it should be easy to grasp.

Let me know if you need any help.
Victor Pereira

ok

Tasos Laskos
Owner

Since I'm not particularly fond of this feature and no contribution was made by a 3rd party, closing this for good.

Tasos Laskos Zapotek closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.