cancel
Showing results for 
Search instead for 
Did you mean: 

F5 WAF Tester tool

Sam10
Altostratus
Altostratus

I am trying to test my WAF policy tested with the F5 WAF tester tool , but i am getting 0 results. Has any one used this tool. Do i need to add all these parameter value or can i leave it blank. what should be the value for blocking regular expression pattern. I am looking to scan for all the vulnerabilities defined in my policy , please can i get some insight into it.

[BIG-IP] Host [1.1.1.1]: <<< The BIG-IP Mgmt IP address to be tested [BIG-IP] Username [username]: <<< The BIG-IP Mgmt username to be tested [BIG-IP] Password [********]: <<< The BIG-IP Mgmt password to be tested ASM Policy Name [policy_name]: <<< The WAF policy name to be tested Virtual Server URL [https://2.2.2.2]: <<< The protocol and virtual address that will be tested> Blocking Regular Expression Pattern [<br>Your support ID is: (?P<id>\d+)<br>]: <<< The blocking response page string to expect from ASM Number OF Threads [25]: <<< The number of threads to open in parallel [Filters] Test IDs to include (Separated by ',') []: <<< You can choose a specific test IDs that will be tested [Filters] Test Systems to include (Separated by ',') [Unix/Linux,Node.js,MongoDb,Java Servlets/JSP]: <<< You can choose specific systems names that will be tested [Filters] Test Attack Types to include (Separated by ',') []: <<< You can choose a specific attack types names that will be tested [Filters] Test IDs to exclude (Separated by ',') [,]: <<< You can choose specific test IDs that will not be tested (on top of the include list) [Filters] Test Systems to exclude (Separated by ',') []: <<< You can choose specific system names not that will be tested (on top of the include list) [Filters] Test Attack Types to exclude (Separated by ',') [],]: <<< You can choose specific attack type names that will not be tested (on top of the include list)

 

 

 

3 REPLIES 3

Andrew-F5
F5 Employee
F5 Employee

"Do i need to add all these parameter value or can i leave it blank."

∟ You could leave them all blank but then you will end up with a lot failed tests due to the lack of IP and ports to check. The script requires the inputs so it knows where to send the tests to either/or (a) management IP (b) virtual server IP:port.

∟ Generally speaking you could leave the filters blank, it will just attempt all the test HTTP requests instead of a subset of them.

∟ I'd recommend filling out the first 6 parameters.

 

"what should be the value for blocking regular expression pattern"

∟ If you use the default ASM blocking page then this can be left default.

∟ If you use a custom ASM blocking page where you modified the line "Your support ID is" then you may need to change the regex to match against your custom page. The regex is checking for a support ID returned from ASM to determine if the testing attack failed (received an ASM blocking page) or succeeded (did not receive and ASM blocking page)

Sam10
Altostratus
Altostratus

Thanks for your response . But when i run the WAF tester , I am running into below issues. I uninstalled and installed python, PIP and GIT. still same issue. I dint make any changes to the code.

 

Traceback (most recent call last):

 File "c:\users\python\python38-32\lib\runpy.py", line 193, in _run_module_as_main

   return _run_code(code, main_globals, None,

 File "c:\users\python\python38-32\lib\runpy.py", line 86, in _run_code

   exec(code, run_globals)

 File "C:\users\Python\Python38-32\Scripts\f5-waf-tester.exe\__main__.py", line 7, in <module>

 File "c:\users\python\python38-32\lib\site-packages\f5_waf_tester\__init__.py", line 501, in main

   sys.exit(F5WAFTester(

 File "c:\users\python\python38-32\lib\site-packages\f5_waf_tester\__init__.py", line 58, in __init__

   self.tests = json.load(tf)

 File "c:\users\python\python38-32\lib\json\__init__.py", line 293, in load

   return loads(fp.read(),

 File "c:\users\python\python38-32\lib\json\__init__.py", line 357, in loads

   return _default_decoder.decode(s)

 File "c:\users\python\python38-32\lib\json\decoder.py", line 337, in decode

   obj, end = self.raw_decode(s, idx=_w(s, 0).end())

 File "c:\users\python\python38-32\lib\json\decoder.py", line 355, in raw_decode

   raise JSONDecodeError("Expecting value", s, err.value) from None

json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Andrew-F5
F5 Employee
F5 Employee

Given the "c" path and "python38-32" that implies you're running this script from Windows and using the 32 bit python executable. Windows isn't listed as a valid pre-requisite for the script on the main github page, https://github.com/f5devcentral/f5-waf-tester - ubuntu/kali/fedora only.

Prerequisites

Python 2.7+

Python package control (pip):

Ubuntu/Kali, 

sudo apt-get install -y python-pip

 

Fedora, 

sudo dnf install -y python-pip

 

It runs without issue for me on Windows 10 WSL-Ubuntu, python 2.7.17, 64 bit.