WAF Solution Testing

[hahwul]

https://x.com/isacaya_/status/1900470572561399919 from @isacaya

[isacaya]

Hello, I hope you're doing well. At first, I thought about putting a web app on the cloud and using something like AWS WAF or Cloudflare’s WAF to see how well dalfox works. But after looking into it more, I realized that the "rule set" applied by the WAF is more important than the type of WAF itself, and a lot of WAFs commonly include the OWASP CRS(Core Rule Set).

• AWS WAF rulesets
  

• Cloudflare WAF rulesets
  

So I thought it’d be better to focus more on the rule set rather than specific vendors’ WAFs, and figured that testing with the OWASP Core Rule Set, which most WAFs rely on, might be a sound decision.

And I came across a Docker image that sets up an environment pretty easily, so I hooked up a WAF to XSSMaze. Let me know what you think if you get a chance to peek at it!

Quick Test

1. git clone -b xssmaze-waf https://github.com/isacaya/xssmaze.git
2. docker-compose up --build
3. curl "http://127.0.0.1:8080"

XSSMaze Before and After WAF Implementation

Left (port 3000): plain XSSMaze
Right (port 8080): XSSMaze with OWASP Core Rule Set applied