WAF-A-MoLE: guided mutation-based fuzzer for ML-based Web Application Firewalls
WAF-A-MoLE
A guided mutation-based fuzzer for ML-based Web Application Firewalls, inspired by AFL and based on the FuzzingBook by Andreas Zeller et al.
Given an input SQL injection query, it tries to produce a semantic invariant query that is able to bypass the target WAF. You can use this tool for assessing the robustness of your product by letting WAF-A-MoLE explore the solution space to find dangerous “blind spots” left uncovered by the target classifier.
Architecture
WAF-A-MoLE takes an initial payload and inserts it in the payload Pool, which manages a priority queue ordered by the WAF confidence score over each payload.
During each iteration, the head of the payload Pool is passed to the Fuzzer, where it gets randomly mutated, by applying one of the available mutation operators.
Mutation operators
Mutations operators are all semantics-preserving and they leverage the high expressive power of the SQL language (in this version, MySQL).
Below are the mutation operators available in the current version of WAF-A-MoLE.
| Mutation | Example |
|---|---|
| Case Swapping | admin' OR 1=1# ⇒ admin' oR 1=1# |
| Whitespace Substitution | admin' OR 1=1# ⇒ admin'\t\rOR\n1=1# |
| Comment Injection | admin' OR 1=1# ⇒ admin'/**/OR 1=1# |
| Comment Rewriting | admin'/**/OR 1=1# ⇒ admin'/*xyz*/OR 1=1#abc |
| Integer Encoding | admin' OR 1=1# ⇒ admin' OR 0x1=(SELECT 1)# |
| Operator Swapping | admin' OR 1=1# ⇒ admin' OR 1 LIKE 1# |
| Logical Invariant | admin' OR 1=1# ⇒ admin' OR 1=1 AND 0<1# |
Install & Use
Copyright (c) 2019 Andrea Valenza, Luca Demetrio, Gabriele Costa, Giovanni Lagorio
