February 21, 2013

Introducing the WAF Testing Framework

WtfLast week I attended an OWASP conference in Israel and participated in a panel about WAFEC. This panel is part of the currently ongoing effort to generate the second version of the WAF evaluation criteria standard. The panel gave me an opportunity to express my major concern about WAF evaluation today – the lack of measuring tools and in particular the continuous disregard towards measuring false positives.

I've already expressed these concerns in the last OWASP US conference where I presented a tool that might help the community overcome these issues.  The tool called WAF Testing Framework (WTF) is easily configurable with traffic samples that represent attacks (in a stateful manner) and good traffic. It then communicates according to this configuration with a bundled web application, assuming a WAF is installed in the way. The tool is able to measure the response of the WAF to each one of the requests and display a chart that includes information on False Negatives as well as False Positives.

We've decided to make this tool available to the community as open source. Initially it is available on our site Here. We will probably open an open source project for it on one of the standard repositories soon.


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.