10

I'm wondering if there is a web application firewall (WAF) equivalent of VirusTotal? A site where I can throw for example injection strings, exploits or xss, and it will tell me what the default setups for different WAFs will detect.

I know there is the ModSecurity site out there which I could set up myself and experiment on, but I'd like one that covers the commercial offerings so I can get some experience with the way they work.

Question taken from seclist.org

M'vy
  • 13,033
  • 3
  • 47
  • 69
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • 1
    Can you clarify the legal and ethical aspects of copying this? E.g. is the original your question? copyrighted? licensed? encouraging cross-posting? And also clarify your terms for better SEO and to help newbies? – nealmcb Jun 08 '11 at 01:50
  • It is not my question. Does not look to be copyrighted. I'll work on clarifying the question later tonight when I got time. Feel free to contribute by editing. – Chris Dale Jun 08 '11 at 12:22
  • @Karrax, everything is copyrighted (by default), unless the author explicitly grants it to the public domain or takes some other similar action. – D.W. Aug 12 '11 at 03:24
  • @D.W. I thought it was the contriary :) Anything public on the internett is free unless stated otherwise hehe. – Chris Dale Aug 12 '11 at 12:05
  • @Karrax, no, that is not correct. – D.W. Aug 12 '11 at 19:11

1 Answers1

6

I know of no such site. It's unlikely that such a site would exist, because WAF's don't block things on based on signatures like anti-virus.

WAFs must be configured to work properly. For each input field, you need to tell the WAF what that field can contain. Is it a number? An alpha field? Or can it contain arbitrary characters, including quotes, commas, dashes, semicolons?

One way of configuring a WAF is to put it into learning mode, so it can watch typical input fields. If it sees that only numbers are being sent in the "articleId=" field, then it knows it should probably filter out anything that isn't a number.

In other words, a "web application firewall" is a lot more like a "firewall" and a lot less like an "anti-virus" or "intrusion prevention system".

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14