Create a arachni waf evasion plugin now that you already have a WAF fingerprinting plugin. It should focus on the most common WAF: modsecurity, F5, Imperva, etc.
Same thing as for Issue #46, it would be cool but Arachni is a web app scanner not a WAF scanner.
So, I'm leaving this open indefinitely.
Any scan results that have been obtained while the webapp sits behind a WAF will be inaccurate, at best, which conflicts with the aim of the project.
If anyone wants to contribute such a feature-set it will be more than welcomed, in the meantime my focus stays put.
maybe we could do some URL obfuscation modules, like double encoding, etc.
I could add the necessary hooks to the HTTP interface to make it easier for anyone who wants to implement something like that but I'm afraid that I'll have to stand by my last reply.
Obviously, anyone that who wants to develop that sort of plug-in will be having my full support but I can't spend time developing it myself.
I'll update this issue when I add the hook and a demo plug-in to show how it could work.
I can do it, since i wrote already a url obfuscation tool in ruby to help with some WAF evaluation.. should i do a pull request for this new plugin?
Sure, I'll be pushing the stuff I mentioned in a while to give you an idea of how to intercept framework requests.
demonstrates how to intercept HTTP requests and schedule a plugin to …
…be run before all else [#44]
ok it is enough to implement some evasive techniques. Maybe we can talk about how to present the configuration options on the web/cli interface (like which kind of evasive technique the user want to use) or should it be boolean and for every single request when its enabled, we just try all evasive options that we implement?
The Options have been lifted from Metasploit so if you've worked with it they should be familiar.
See for example: https://github.com/Zapotek/arachni/blob/experimental/plugins/vector_feed.rb#L217
These are the available options: https://github.com/Zapotek/arachni/blob/experimental/lib/arachni/component_options.rb
Also, you can add obf sub-components for your plug-in, i.e. make your plug-in modular.
If that interests you I can write up a demo for that as well, it's really simple.
ok. I will first get it done then we talk about it again
I'm guessing that the origin of the HTTP request would also be helpful to you (i.e. which component queued it) so if/when you need it let me know, it shouldn't be hard to implement.
yup. Your demo plugin is enough. I just have to clean up a backlog before (day job)
hi, I did implement three obfuscation methods, two url encoding and one about http pipeline. The main question is: what we want to test? How I do today. I get a WAF, i do configure a rule that I know that will be bocked and the I obfuscate it and try to evade the WAF. The point is, how should we do it here? See if we've got different responses for obfuscate GET and for normal GETs? any IDEA?
Add your spec in:
Add your test server (which I'm guessing would have to emulate the WAF rules you're trying to evade) in:
These folders don't exist atm because I haven't yet made it to the plugin specs.
Look around in the specs a bit to see how spec/server relationships work, it should be easy to grasp.
Let me know if you need any help.
Since I'm not particularly fond of this feature and no contribution was made by a 3rd party, closing this for good.