F5 Web Application Firewall Solutions > WAF 301 - AWAF in a CI/CD Pipeline (Self Guided) > Module 2: Policy testing - Intro to f5 WAF Tester (secops engineer) Source | Edit on
Appendix A: f5 WAF Tester Administrator Guide¶
To install on different platforms:
Ubuntu/Kali
sudo apt-get install -y python-pipFedora
sudo dnf install -y python-pip
When going through the configuration file prompts (./f5-waf-tester –init), there are more prompts that you can configure:
- Blocking Regular Expression Pattern [<br>Your support ID is: (?P<id>d+)<br>]:
- Specifies where to grab your support ID from the block page. This should remain unchanged unless you have a customized block page.
- Number OF Threads [25]:
- Number of threads to open in parallel
- [Filters] Test IDs to include (Separated by ‘,’) []:
- You can specify test IDs to run if you do not want all 24 tests to execute. (See Appendix B for full matrix)
- [Filters] Test Systems to include (Separated by ‘,’) []:
You can specify test systems to run if you do not want all of them to execute.
- Here are the possible systems that can be used:
- All Systems General Database MongoDB Unix/Linux Microsoft Windows Node.js PHP
- [Filters] Test Attack Types to include (Separated by ‘,’) []:
Specify attack types to run if you do not want to run all.
- The options are:
XSS
SQL Injection
NoSQL Injection
Command Execution
Path Traversal
Predictable Resource Location
HTTP Protocol Compliance
Detection Evasion
Insecure Deserialization
Information Leakage
JSON Parser Attack
XML Parser Attack
HTTP Parser Attack
HTTP Request Smuggling
Server Side Request Forgery
- [Filters] Test IDs to exclude (Separated by ‘,’) []:
- Exclude test IDs to be run.
- [Filters] Test Systems to exclude (Separated by ‘,’) []:
- Exclude test systems to be run.
- [Filters] Test Attack Types to exclude (Separated by ‘,’) []:
- Exclude attack types to be run.
- Here are the possible reasons that could cause the test ID to fail:
ASM Policy is not in blocking mode
Attack Signature is not in the ASM Policy
Attack Signatures are not up to date
Attack Signature disabled
Attack Signature is in staging
Parameter * is in staging
URL * is in staging
URL * Does not check signatures
Header * Does not check signatures
Evasion disabled
Evasion technique is not in blocking mode
Violation disabled