search

wallarm / gotestwaf

An open-source project in Golang to asess different API Security tools and WAF for detection logic and bypasses
https://lab.wallarm.com/test-your-waf-before-hackers/
MIT License
1.55k stars 212 forks source link

gotestwaf not working against a WAF using 302 Redirect as blocked page #165

Closed fa-alenoir closed 1 year ago

fa-alenoir commented 1 year ago

Hi,

I used both the latest Docker image and latest source code today against a WAF that return a HTTP 302 Redirect when blocking an URL (probably NetScaler)

I tried to play around the options --maxRedirects 0 --blockStatusCode 302 but even with that, GTW was not able to count/recognize 302 responses as a block, so it proceeds to all the 1415 requests but at the end the reports it said 0 requests blockeds, althought there were few hundreds of 302 redirects that are related to a blocked request from the WAF.

I think the problem is that gotestwaf follow the redirection no matter what, and so the 302 response is never returned and compared

_line 54 || internal/scanner/httpclient.go

    redirectFunc = func(req *http.Request, via []*http.Request) error {
        if len(via) > cfg.MaxRedirects {
            return errors.New("max redirect number exceeded")
        }
        return nil
    }

should be replaced by something like that probably:

    redirectFunc = func(req *http.Request, via []*http.Request) error {
        return http.ErrUseLastResponse
    }

So the redirection is not followed and the 302 response is returned until the last control and compared with the provided --blockStatusCode parameter

Cheers ! :)

fa-alenoir commented 1 year ago

It seems to act the same with any HTTP Redirection, not only 302

svkirillov commented 1 year ago

Hi!

It looks like WAF wants to set session cookies and don't want to let you access the site without them. This leads to permanent redirections. Try to use --followCookies and --renewSession options.

fa-alenoir commented 1 year ago

Hi,

No that's not the problem, the Web app/WAF doesn't set any cookie, he just send an HTTP 302 redirect to / without any specific headers or set-cookie

And GTW is not able to handle 302 and always follow them so at the end he got an HTTP 200 since he is redirected to / and so he considers that there was no block from the WAF

fa-alenoir commented 1 year ago

I tried with the fix I sent to you and with that, GTW doesn't follow redirection so the 302 can be defined as a Block Status

svkirillov commented 1 year ago

Ok, I will fix it. Can you provide an URL where I can test?

fa-alenoir commented 1 year ago

Any scan on a tinyurl should do the trick, for example https://tinyurl.com/3xvbx526 ==> www.google.fr on this case it's an HTTP 301 Redirect, but that's exactly the same problem you have to define the block status to 301 for this test

svkirillov commented 1 year ago

Hi!

This issue has been fixed in recent releases. Now you can use --maxRedirects=0 and --blockStatusCode=302 options together to detect blocking based on redirect status codes.

If you still have this problem, please reopen this issue.

fa-alenoir commented 1 year ago

Thanks !! I'll let you know