Forum Discussion

Sam10's avatar
Sam10
Icon for Altostratus rankAltostratus
May 06, 2020

F5 WAF Tester tool

I am trying to test my WAF policy tested with the F5 WAF tester tool , but i am getting 0 results. Has any one used this tool. Do i need to add all these parameter value or can i leave it blank. what should be the value for blocking regular expression pattern. I am looking to scan for all the vulnerabilities defined in my policy , please can i get some insight into it.

[BIG-IP] Host [1.1.1.1]:                        <<< The BIG-IP Mgmt IP address to be tested
[BIG-IP] Username [username]:                   <<< The BIG-IP Mgmt username to be tested
[BIG-IP] Password [********]:                   <<< The BIG-IP Mgmt password to be tested
ASM Policy Name [policy_name]:                  <<< The WAF policy name to be tested
Virtual Server URL [https://2.2.2.2]:           <<< The protocol and virtual address that will be tested>
Blocking Regular Expression Pattern [<br>Your support ID is: (?P<id>\d+)<br>]:          <<< The blocking response page string to expect from ASM  
Number OF Threads [25]:                 <<< The number of threads to open in parallel
[Filters] Test IDs to include (Separated by ',') []:            <<< You can choose a specific test IDs that will be tested 
[Filters] Test Systems to include (Separated by ',') [Unix/Linux,Node.js,MongoDb,Java Servlets/JSP]:            <<< You can choose specific systems names that will be tested 
[Filters] Test Attack Types to include (Separated by ',') []:           <<< You can choose a specific attack types names that will be tested
[Filters] Test IDs to exclude (Separated by ',') [,]:           <<< You can choose specific test IDs that will not be tested (on top of the include list)
[Filters] Test Systems to exclude (Separated by ',') []:                <<<  You can choose specific system names not that will be tested (on top of the include list)
[Filters] Test Attack Types to exclude (Separated by ',') [],]:                 <<< You can choose specific attack type names that will not be tested (on top of the include list)

3 Replies

  • "Do i need to add all these parameter value or can i leave it blank."

    ∟ You could leave them all blank but then you will end up with a lot failed tests due to the lack of IP and ports to check. The script requires the inputs so it knows where to send the tests to either/or (a) management IP (b) virtual server IP:port.

    ∟ Generally speaking you could leave the filters blank, it will just attempt all the test HTTP requests instead of a subset of them.

    ∟ I'd recommend filling out the first 6 parameters.

     

    "what should be the value for blocking regular expression pattern"

    ∟ If you use the default ASM blocking page then this can be left default.

    ∟ If you use a custom ASM blocking page where you modified the line "Your support ID is" then you may need to change the regex to match against your custom page. The regex is checking for a support ID returned from ASM to determine if the testing attack failed (received an ASM blocking page) or succeeded (did not receive and ASM blocking page)

  • Thanks for your response . But when i run the WAF tester , I am running into below issues. I uninstalled and installed python, PIP and GIT. still same issue. I dint make any changes to the code.

     

    Traceback (most recent call last):

     File "c:\users\python\python38-32\lib\runpy.py", line 193, in _run_module_as_main

       return _run_code(code, main_globals, None,

     File "c:\users\python\python38-32\lib\runpy.py", line 86, in _run_code

       exec(code, run_globals)

     File "C:\users\Python\Python38-32\Scripts\f5-waf-tester.exe\__main__.py", line 7, in <module>

     File "c:\users\python\python38-32\lib\site-packages\f5_waf_tester\__init__.py", line 501, in main

       sys.exit(F5WAFTester(

     File "c:\users\python\python38-32\lib\site-packages\f5_waf_tester\__init__.py", line 58, in __init__

       self.tests = json.load(tf)

     File "c:\users\python\python38-32\lib\json\__init__.py", line 293, in load

       return loads(fp.read(),

     File "c:\users\python\python38-32\lib\json\__init__.py", line 357, in loads

       return _default_decoder.decode(s)

     File "c:\users\python\python38-32\lib\json\decoder.py", line 337, in decode

       obj, end = self.raw_decode(s, idx=_w(s, 0).end())

     File "c:\users\python\python38-32\lib\json\decoder.py", line 355, in raw_decode

       raise JSONDecodeError("Expecting value", s, err.value) from None

    json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

  • Given the "c" path and "python38-32" that implies you're running this script from Windows and using the 32 bit python executable. Windows isn't listed as a valid pre-requisite for the script on the main github page, https://github.com/f5devcentral/f5-waf-tester - ubuntu/kali/fedora only.

    Prerequisites

    Python 2.7+

    Python package control (pip):

    Ubuntu/Kali, 

    sudo apt-get install -y python-pip

     

    Fedora, 

    sudo dnf install -y python-pip

     

    It runs without issue for me on Windows 10 WSL-Ubuntu, python 2.7.17, 64 bit.