ftw v1.3 releases: Framework for Testing WAFs

by do son · Published January 9, 2019 · Updated March 29, 2022

Framework for Testing WAFs (FTW)

Purpose

This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules. Users can verify the execution of the rule after the tests are issued to make sure the expected response is received from an attack.

Goals / Use cases include:

Find regressions in WAF deployments by using continuous integration and issuing repeatable attacks to a WAF
Provide a testing framework for new rules into ModSecurity, if a rule is submitted it MUST have corresponding positive & negative tests
Evaluate WAFs against a common, agreeable baseline ruleset (OWASP)
Test and verify custom rules for WAFs that are not part of the core rule set

This project, jointly developed by the OWASP Core Rule Set community along with security researchers from Fastly, was designed to extend far beyond regression testing for OWASP CRS. The following are just some of the design criteria for this project

Support the creation of HTTP requests both compliant with the HTTP specification and non-compliant with it
Be modular enough that any WAF could easily be tested
Be able to pass malicious requests that often violate HTTP spec
Be user-friendly and easy to write test cases
Provide a programmatic interface for more advanced test cases
Use an existing heavily used scripting language
Use existing libraries and code where possible
Serve as a regression testing framework for the OWASP CRS 3.0
Provide the capability to run tests against other WAFs to compare the effectiveness
Provide modular support for logging endpoints
Build a continuous integration platform to insert security and regression testing behind deploying a WAF

Changelog v1.3

This release works fully with Python 3.

Installation

git clone https://github.com/CRS-support/ftw.git

cd ftw

virtualenv env && source ./env/bin/activate

pip install -r requirements.txt

py.test -s -v test/test_default.py --ruledir=test/yaml

Provisioning Apache+Modsecurity+OWASP CRS

If you require an environment for testing WAF rules, there has been one created with Apache, Modsecurity and version 3.0.0 of the OWASP core ruleset. This can be deployed by:

Checking out the repository: git clone https://github.com/fastly/waf_testbed.git
Typing vagrant up