tristan2077 / waf-benchmark

This project was born to try to create a way to measure the WAF efficiency.

Currently there're a lot of WAF and a lot of papers and articles about how to good or bad are each available options, but there's not a standard way to test each WAF following these requisites:

The test must be:

• Must be repeatable
• Must measure a do all the test to each product that want to test
• Must be automatic
• Must be measurable the results
• Must know what

• SQl Injection

• Testing mode: use

pip install -e .

This is a example repo for launch modsecurity server with express server <https://github.com/theonemule/docker-waf>

You have multiples kind of benchmarking

• For demo you can limit the number of results and list payloads summary

python -m waf_benchmark http://localhost:8000 --list-payloads -M 2

• List all benchmarks

python -m waf_benchmark http://localhost:8000 --list-payloads

• This can take a long time(~ 55000 requests), send the output to a file

python -m waf_benchmark http://localhost:8000 --list-payloads >> output_bench.txt

usage: __main__.py [-h] [-v] [-c CONCURRENCY] [-D {screen} [{screen} ...]]

[-p] [-o DUMP_FILE] [-S] [-M MAXIMUM_ATTACKS] WAF_URL

WAF-Bench: a benchmarking test for WAF systems

positional arguments:

WAF_URL Application access

optional arguments:

-h, --help	show this help message and exit
-v, --verbosity
	verbosity level: -v, -vv, -vvv.

Output options:

-c CONCURRENCY, --concurrency CONCURRENCY
	maximum concurrency (default: 50)

-D {screen} [{screen} ...], --dump-mode {screen} [{screen} ...]

how to dump the information (default: screen)

-p, --list-payloads
	list payloads that a WAF can't block (default: False)
-o DUMP_FILE, --dump-file DUMP_FILE
	file path to dump results
-S	don't check connection to WAF before start tests (default: False)
-M MAXIMUM_ATTACKS, --maximum-attacks MAXIMUM_ATTACKS
	maximum number of attacks to do per data set (default: all)