Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 15685 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Test if WAF is working

tfp
Hello,

Can anyone recommend a 100% reliable test if WAF is actually working (especially the SQL-INJ/XSS features)? 

Firewall profile has form/url/cookie/xss/sql features enabled. I think I have configured the real webserver and virtual webserver correctly, but I don't know how to verify this.

Thank you!
Tim


This thread was automatically locked due to age.
Parents
  • 0
    Ok here is the relavant log entry..how do i get this to work?

    2012:01:02-18:31:49 firewall reverseproxy: [Mon Jan 02 18:31:49 2012] [error] [client 98.233.176.34] Hostname in HTTP request does not match the server name
    2012:01:02-18:31:49 firewall reverseproxy: srcip="98.233.176.34" localip="75.148.28.141" size="185" user="-" host="98.233.176.34" method="GET" statuscode="403" reason="-" extra="-" time="243103" url="/favicon.ico" server="192.168.21.3" referer="-"

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Reply
  • 0
    Ok here is the relavant log entry..how do i get this to work?

    2012:01:02-18:31:49 firewall reverseproxy: [Mon Jan 02 18:31:49 2012] [error] [client 98.233.176.34] Hostname in HTTP request does not match the server name
    2012:01:02-18:31:49 firewall reverseproxy: srcip="98.233.176.34" localip="75.148.28.141" size="185" user="-" host="98.233.176.34" method="GET" statuscode="403" reason="-" extra="-" time="243103" url="/favicon.ico" server="192.168.21.3" referer="-"

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Children
  • 0 in reply to William Warren
    Ok here is the relavant log entry..how do i get this to work?

    2012:01:02-18:31:49 firewall reverseproxy: [Mon Jan 02 18:31:49 2012] [error] [client 98.233.176.34] Hostname in HTTP request does not match the server name
    2012:01:02-18:31:49 firewall reverseproxy: srcip="98.233.176.34" localip="75.148.28.141" size="185" user="-" host="98.233.176.34" method="GET" statuscode="403" reason="-" extra="-" time="243103" url="/favicon.ico" server="192.168.21.3" referer="-"


    It looks like the scan was done against the IP address or wrong FQN instead the defined FQN of your website in the virtual server of the ASG WAS. So the request was dropped due invalid host header.

    Make sure, that the scanner tries to access your websites as "www.example.com" instead of it's IP "w.x.y.z". No (or wrong) host header == block by WAS. If your webapplication does not require host headers and is also accessible by IP, simply add for the time of security scanning your public IP into the virtual server domain part (and the URL Hardening too, if in use). Should work theoretically, but I never tested it that way...

    BTW: You should anonymize your IP's in posted logfiles - revealed informations may bring some creative people to funny ideas ;o
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?