In this post we are talk about Web Application Firewall (WAF) Auditing Solution, how you know whether the WAF being deployed securely and configure right, and how to audit it whether can be bypass WAF and exploit web application (web app, portal, modern website) by perform various web application attack to test for the WAF defend, as part of the comprehensive and system WAF auditing based on established WAF auditing framework.
If you are in the domain of business, you will notice you can not handle it like network firewall, router and switch with single configuration, and use it for the auditing, because the web application that it protect is pool of web architecture element that may not be single objects, but collectively keep passing parameter and input from web client to web server, via secure transport, and application server is help to passing and execute application logic to web server and backend database server.
For those in the domain of web application ethical hacking and penetration testing, who used to and capable manual exploit a web application, from either bypass the security control like form, manipulate the input value, privilege escalation to gain unauthorised access right and privilege, via the manual application security testing and manual pen-testing manner.
Since the attack surface and range of manual exploit option available, hacker can combine own cyber kill chain for the attack for the different scenario and context, any web application firewall (WAF) auditing without perform manual testing and exploit attempt in front of WAF is not practical audit, you only gain false assumption and believe it is secure, it do not really stop hacker who manual exploit your web application via legitimate and normal web traffic.
As such, for those who need and want to perform web application firewall (WAF) auditing, it does not have the quick fix or silver bullet that you expect to exist. The most cost effective way to do so is to bring the web application security testing and manual exploit and penetration testing working knowledge and use it as input for testing for the WAF defense and protection, whether it is capable of bypassing or not.
E-SPIN Group in the business of enterprise ICT solution supply, consulting, project management, training and maintenance support for multinational corporations and government agencies, across the region E-SPIN did business since 2005. Feel free to contact us for the WAF auditing framework and solutions that can be helped to address the operation requirements.