Forum Discussion
AltostratusF5 WAF Tester tool
I am trying to test my WAF policy tested with the F5 WAF tester tool , but i am getting 0 results. Has any one used this tool. Do i need to add all these parameter value or can i leave it blank. what should be the value for blocking regular expression pattern. I am looking to scan for all the vulnerabilities defined in my policy , please can i get some insight into it.
[BIG-IP] Host [1.1.1.1]: <<< The BIG-IP Mgmt IP address to be tested
[BIG-IP] Username [username]: <<< The BIG-IP Mgmt username to be tested
[BIG-IP] Password [********]: <<< The BIG-IP Mgmt password to be tested
ASM Policy Name [policy_name]: <<< The WAF policy name to be tested
Virtual Server URL [https://2.2.2.2]: <<< The protocol and virtual address that will be tested>
Blocking Regular Expression Pattern [<br>Your support ID is: (?P<id>\d+)<br>]: <<< The blocking response page string to expect from ASM
Number OF Threads [25]: <<< The number of threads to open in parallel
[Filters] Test IDs to include (Separated by ',') []: <<< You can choose a specific test IDs that will be tested
[Filters] Test Systems to include (Separated by ',') [Unix/Linux,Node.js,MongoDb,Java Servlets/JSP]: <<< You can choose specific systems names that will be tested
[Filters] Test Attack Types to include (Separated by ',') []: <<< You can choose a specific attack types names that will be tested
[Filters] Test IDs to exclude (Separated by ',') [,]: <<< You can choose specific test IDs that will not be tested (on top of the include list)
[Filters] Test Systems to exclude (Separated by ',') []: <<< You can choose specific system names not that will be tested (on top of the include list)
[Filters] Test Attack Types to exclude (Separated by ',') [],]: <<< You can choose specific attack type names that will not be tested (on top of the include list)
Andrew-F5Employee
"Do i need to add all these parameter value or can i leave it blank."
∟ You could leave them all blank but then you will end up with a lot failed tests due to the lack of IP and ports to check. The script requires the inputs so it knows where to send the tests to either/or (a) management IP (b) virtual server IP:port.
∟ Generally speaking you could leave the filters blank, it will just attempt all the test HTTP requests instead of a subset of them.
∟ I'd recommend filling out the first 6 parameters.
"what should be the value for blocking regular expression pattern"
∟ If you use the default ASM blocking page then this can be left default.
∟ If you use a custom ASM blocking page where you modified the line "Your support ID is" then you may need to change the regex to match against your custom page. The regex is checking for a support ID returned from ASM to determine if the testing attack failed (received an ASM blocking page) or succeeded (did not receive and ASM blocking page)
Sam10Thanks for your response . But when i run the WAF tester , I am running into below issues. I uninstalled and installed python, PIP and GIT. still same issue. I dint make any changes to the code.
Traceback (most recent call last):
File "c:\users\python\python38-32\lib\runpy.py", line 193, in _run_module_as_main
return _run_code(code, main_globals, None,
File "c:\users\python\python38-32\lib\runpy.py", line 86, in _run_code
exec(code, run_globals)
File "C:\users\Python\Python38-32\Scripts\f5-waf-tester.exe\__main__.py", line 7, in <module>
File "c:\users\python\python38-32\lib\site-packages\f5_waf_tester\__init__.py", line 501, in main
sys.exit(F5WAFTester(
File "c:\users\python\python38-32\lib\site-packages\f5_waf_tester\__init__.py", line 58, in __init__
self.tests = json.load(tf)
File "c:\users\python\python38-32\lib\json\__init__.py", line 293, in load
return loads(fp.read(),
File "c:\users\python\python38-32\lib\json\__init__.py", line 357, in loads
return _default_decoder.decode(s)
File "c:\users\python\python38-32\lib\json\decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "c:\users\python\python38-32\lib\json\decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
- Andrew-F5
Given the "c" path and "python38-32" that implies you're running this script from Windows and using the 32 bit python executable. Windows isn't listed as a valid pre-requisite for the script on the main github page, https://github.com/f5devcentral/f5-waf-tester - ubuntu/kali/fedora only.
Prerequisites
Python 2.7+
Python package control (pip):
Ubuntu/Kali,
sudo apt-get install -y python-pip
Fedora,
sudo dnf install -y python-pip
It runs without issue for me on Windows 10 WSL-Ubuntu, python 2.7.17, 64 bit.