This is the simple vulnerable application for testing using sqlmap, XSStrike, testssl.sh for testing the Web server, TLS, WAF rules, protection and etc...
It's use aasaam web-server for edge waf/reverse/proxy/ssl off loader.
git clone --depth 1 https://github.com/aasaam/vulnerable-application
cd vulnerable-application
docker-compose up -d
# wait for all databases to be readyYou can see app run in browser
http://localhost:10800Normal applicationhttp://localhost:10801Behind aasaam web-server WAF activatedhttps://localhost:10802Behind aasaam web-server WAF and SSL/TLS activated
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git tmp/sqlmap-dev
cd tmp/sqlmap-dev
# remove old tests result
rm ~/.local/share/sqlmap -rf
# no waf
python3 ./sqlmap.py -u 'http://localhost:10800/show.php?id=1&type=bXlzcWw=&title=DevOps+is+important'
rm ~/.local/share/sqlmap -rf
# with waf
python3 ./sqlmap.py -u 'http://localhost:10801/show.php?id=1&type=bXlzcWw=&title=DevOps+is+important'
rm ~/.local/share/sqlmap -rf
git clone --depth 1 https://github.com/s0md3v/XSStrike.git tmp/XSStrike
cd tmp/XSStrike
# no waf
python3 xsstrike.py --fuzzer --blind -u 'http://localhost:10800/show.php?id=1&type=bXlzcWw=&title=DevOps+is+important'
# with waf
python3 xsstrike.py --fuzzer --blind -u 'http://localhost:10801/show.php?id=1&type=bXlzcWw=&title=DevOps+is+important'git clone --depth 1 https://github.com/drwetter/testssl.sh tmp/testssl.sh
cp addon/ssl/ca.pem tmp/testssl.sh/ca.pem
cd tmp/testssl.sh
./testssl.sh --add-ca ca.pem 'https://localhost:10802'mkdir -p tmp/cassowary
cp addon/ssl/ca.pem tmp/cassowary/ca.pem
cd tmp/cassowary
wget -O cassowary.tgz https://github.com/rogerwelin/cassowary/releases/download/v0.11.0/cassowary_0.11.0_Linux_x86_64.tar.gz
tar -xf cassowary.tgz
./cassowary run --ca ca.pem -c 100 -n 10000 -u 'https://localhost:10802/benchmark/upstream'
./cassowary run --ca ca.pem -c 100 -n 10000 -u 'https://localhost:10802/benchmark/webserver'
aasaam software development group