Open morf13111986 opened 1 year ago
Boris-Rozenfeld
commented
1 year ago Hello, @morf13111986
If you encounter the "WAF functionality check failed" message, it indicates that the WAF did not successfully block a malicious payload. Please ensure that your WAF can intercept and block the following payload:
/<script>alert(1)</script>
You can reference the specific code related to this here.
Once you've made the necessary adjustments, rerun the tool.
Thank you!
sidoverflow
commented
1 year ago @Boris-Rozenfeld My WAF is in Prevent mode and I can see the requests being blocked on the openappsec portal with a 403, but I'm still getting ERROR | WAF functionality check failed. Any thoughts?
Boris-Rozenfeld
commented
1 year ago @sidoverflow, just cheked with a clean Open-AppSec environment and the "WAF functionality check passed". For troubleshooting your issue, kindly consider the following two steps:
Execute the command below from the source machine where the tool is running:
curl -i http://<target_ip>/<script>alert(1)</script>
The expected response should have a status code of 403.
Review the config.py file carefully:
Please give these suggestions a try and let me know if they assist you in resolving the issue.
sidoverflow
commented
1 year ago I believe my issue was the default web response page by open-appsec which was likely running into unexpected EOF errors. I configured the asset to return a plain 403 status code. That seemed to work, now the health and functionality checks are fine!
I don’t want to start scanning at all. I did everything according to the instructions. I made changes to the config.py file, indicating the application that needs to be scanned and which is located behind the WAF. But when launched, Health check passed works, but WAF functionality check failed gives an error. As far as I understand, the scan does not work. But I can’t understand why.