BASTION: A Tool for WAF Evaluation

Made by ByteBandit0101

⚠️WARNING⚠️

This tool is intended for testing in controlled environments with the intent of evaluating wafs

About the tool

The Bastion is designed to automate testing on vulnerable applications, such as OWASP's DVWA (Damn Vulnerable Web Application) and Mutillidae, serves as a benchmarking mechanism for Web Application Firewalls (WAFs). This tool operates by sending a series of carefully crafted payloads known to exploit specific vulnerabilities in these test applications. During these tests, the tool evaluates the applications' responses to each payload sent.

The underlying logic of this tool is straightforward yet effective: it attempts to exploit known vulnerabilities in these applications and monitors how the responses are handled by both the applications and, more crucially, by the WAFs implemented to protect them. When a payload results in a successful exploitation (i.e., the attack "was successful"), it indicates that the WAF failed to block the exploitation attempt, and the tool records this event as a failure in the protection offered by the WAF.

Conversely, if the WAF manages to identify and block the exploitation attempt, preventing the payload from causing any harm or gaining unauthorized access, the tool records this as a success for the WAF ("WAF blocked it"). This continuous testing process allows for a comparative assessment of the effectiveness of different WAFs in protecting against a standardized set of known attacks.

This automated approach not only saves significant time that would otherwise be spent on manual testing but also provides a quantitative metric on the effectiveness of WAFs in protecting web applications against known exploitation attempts. This tool can be extremely useful for organizations looking to strengthen their cyber defenses by evaluating different WAF solutions before making a large-scale implementation.

Built With

Installation

Linux

1. Clone the repo

   git clone https://github.com/ByteBandit0101/Bastion-Waf-Tool.git

2. Go to Bastion-Waf-Tool directory

   cd Bastion-Waf-Tool

3. Install requeriments.txt

   pip install -r requeriments.txt

4. Run

   python3 run_all_tests.py

   Windows

5. Clone the repo

   git clone https://github.com/ByteBandit0101/Bastion-Waf-Tool.git

6. Go to Bastion-Waf-Tool directory

   cd Bastion-Waf-Tool

7. Install requeriments.txt

   pip install -r requeriments.txt

8. Run

   python run_all_tests.py

   How To Use

9. Choose whether or not to use Tor

   1. Use Tor
   2. Do not use Tor
   3. Exit
   Choose an option: "Enter the desired option"

10. Choose the scenario

    1. Explore Mutillidae
    2. Explore DVWA
    3. Exit
    Choose an option: "Enter the desired option"

11. Enter the target url (Example: https://test.com)

    Please enter the base URL: "put your url here"

12. Select the speed of requests: low = 10 / medium = 5 / high = 3

    Choose the request send rate (low, medium, high):"Enter the desired option"

13. Choose whether you want to run all tests or choose which ones will be run:

    Do you want to run all tests automatically or select them manually?
    1. Run all tests automatically
    2. Select tests manually
    Choose an option: "put your url here"

    Case 1:

    It will run all the scripts in order and at the end give an overview of the test results

    Do you want to run all tests automatically or select them manually?
    1. Run all tests automatically
    2. Select tests manually
    Choose an option: 1

    Case 2:

    If you choose "yes" it will run the script that is defined, and at the end it will ask if you want to run the next ones.

    Choose an option: 2
    Do you want to execute Brute_Force.py? (yes/no): yes

    If you choose "no" it will ignore the current script and skip to the next one asking if you want to run it.

    Choose an option: 2
    Do you want to execute Brute_Force.py? (yes/no): no

14. At the end of the test you can choose to save the logs in a .zip (save) or delete them (clear):

    Do you want to clear the logs folder or save? (clear/save): "Enter the desired option"

    How to configure Tor proxy

    Coming soon video tutorial...

    Exploited vulnerabilities

    Here are the pages that BASTION exploits in both Mutillidae and DVWA and their respective vulnerabilities

    Mutillidae

    add-to-your-blog.php

    <ul>
        <ul>SQL Injection on blog entry</ul>
        <ul>SQL Injection on logged in user name</ul>
        <ul>Cross site scripting on blog entry</ul>
        <ul>Cross site scripting on logged in user name</ul>
        <ul>Log injection on logged in user name</ul>
        <ul>Cross site request forgery</ul>
        <ul>JavaScript validation bypass</ul>
        <ul>XSS in the form title via logged in username</ul>
        <ul>HTML injection in blog input field</ul>
        <ul>Application Exception Output</ul>
        <ul>Application Log Injection</ul>
        <ul>Known Vulnerable Output: Name Comment "Add blog for" title</ul>
    </ul>

    arbitrary-file-inclusion.php

    System file compromise
    Load any page from any site
    Reflected XSS via the value in the "page" URL parameter
    Server-side includes
    HTML injection
    Remote File Inclusion
    Local File Inclusion
    Method Tampering

    back-button-discussion.php

    Reflected XSS via referer HTTP header
    JS Injection via referer HTTP header
    HTML injection via referer HTTP header
    Unvalidated redirect

    browser-info.php

    Reflected XSS via referer HTTP header
    JS Injection via referer HTTP header
    HTML injection
    Reflected XSS via user-agent string HTTP header

    dns-lookup.php

    Cross site scripting on the host/ip field
    O/S Command injection on the host/ip field
    This page writes to the log. SQLi and XSS on the log are possible
    HTML injection
    GET for POST (method tampering) is possible
    Application Log Injection
    JavaScript Validation Bypass

    document-viewer.php

    Cross Site Scripting
    HTML injection
    HTTP Parameter Pollution
    Frame source injection
    Method Tampering
    Application Log Injection

    login.php

    Authentication bypass SQL injection via username and password fields
    SQL injection via username and password fields
    XSS via username field
    JavaScript validation bypass
    HTML injection via username field
    Username enumeration
    Application Log Injection

    register.php

    SQL injection, HTML injection, and XSS via username, signature, and password fields
    Method tampering
    Application Log Injection

    repeater.php

    HTML injection and XSS
    Method tampering
    Parameter addition
    Buffer overflow

    set-background-color.php

    Cascading style sheet injection and XSS via the color field

    user-info.php

    SQL injection to dump all usernames and passwords via username or password field
    XSS via any of the displayed fields
    XSS via the username field
    JavaScript validation bypass

    user-poll.php

    Parameter pollution
    Method Tampering
    XSS via the choice parameter
    Cross site request forgery to force user choice
    HTML injection

    xml-validator.php

    XML Entity Injection Attack
    XML Entity Expansion
    XML Injection
    Reflected Cross site scripting via XML Injection

    DVWA - Damn Vulnerable Web Application

    Brute Force

    This vulnerability allows an attacker to try many passwords or keys with the hope of eventually guessing correctly. DVWA can be used to practice brute force attacks on login forms.

    Command Injection

    This security flaw occurs when an attacker can inject arbitrary commands into an operating system through a vulnerable application, typically through web forms.

    CSRF

    A CSRF attack tricks a user's browser into performing unwanted actions on a site where they are currently authenticated, exploiting the trust that a site has in the user's browser.

    File Inclusion

    There are two types of file inclusion: Local File Inclusion (LFI) and Remote File Inclusion (RFI). These vulnerabilities allow an attacker to include files on the server or via remote URLs, respectively, which can lead to arbitrary code execution.

    File Upload

    This vulnerability occurs when an application allows users to upload files without proper security checks, enabling the upload of malicious scripts that can be executed on the server.

    Insecure CAPTCHA

    CAPTCHAs are used to ensure that the user is human and not a bot. An insecure CAPTCHA can be automated or bypassed, allowing bots to perform malicious actions.

    SQL Injection

    This is one of the most dangerous vulnerabilities, where an attacker can inject arbitrary SQL commands, which are executed by the database. This can lead to the exposure of sensitive data, data corruption, or loss of control over the database.

    SQL Injection (Blind)

    A variation of SQL Injection where the attacker cannot see the result of the injection directly, but can infer information through the application's behavior or through indirect error messages.

    Weak Session IDs

    Weak session IDs can be easily guessed or predicted, allowing an attacker to hijack another user's session, thereby taking control over someone else's account.

    XSS (DOM, Reflect, Stored)

    Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into pages viewed by other users. Stored XSS stores the malicious script on the server; Reflected XSS sends the script as part of a request that is reflected by the server to the user; DOM XSS manipulates the DOM to inject the malicious script.

    CSP Bypass

    Content Security Policy (CSP) is a security measure to detect and mitigate attacks such as XSS and data injection. A CSP bypass allows the attacker to circumvent CSP restrictions, executing unauthorized scripts.

    JavaScript

    Vulnerabilities in JavaScript can include security issues in how JavaScript code is executed or manipulated, allowing various attacks, including XSS.

    Authorisation Bypass

    This vulnerability occurs when authorization restrictions in an application are poorly configured or can be circumvented, allowing a user to access functions or data without the necessary permissions.

    Open HTTP Redirect

    This vulnerability happens when a web application redirects users to other URLs using untrusted input data, which can lead to phishing attacks or other misuses.