Testing with attack tooling

After installing the Next-Gen WAF, we recommend testing your setup by running attack tooling against your site to verify that attack data is being captured and blocking is working correctly.

While you can use any attack tooling for testing, we recommend using Nikto which tests a wide variety of vulnerabilities. While Nikto is running, Next-Gen WAF agents will identify any malicious or anomalous requests and send relevant metadata to our backend, after redacting any sensitive information.

This guide explains how to set up Nikto and run three different testing scenarios:

1. Testing attack tooling detection
2. Testing attack detection
3. Testing attack blocking

Before you begin

Nikto requires Perl to be installed. Run perl -v to check if you have Perl installed on your system. If Perl is not found, you can download and install it from the Perl website.

Setting up Nikto

Nikto is a common open source tool used for running security tests against web servers. It can run on Linux, OS X, and Windows platforms. To set up Nikto:

1. Download the latest version of Nikto.
2. Using command prompt, navigate to the directory where you downloaded Nikto.
3. Enter unzip nikto-master.zip to unzip the file.
4. Enter cd nikto-master/program/ to change directories to the program directory.
5. Run ./nikto.pl to verify you are able to run Nikto. A default help message appears.

If you receive a permission denied error message, you can resolve the error by running chmod +x nikto.pl which makes the script executable. Then run ./nikto.pl again.

Testing attack tooling detection

Using Nikto, you can test the attack tooling detection feature.

To run this test:

1. Log in to the Next-Gen WAF console.
2. From the Sites menu, select a site if you have more than one site.

3. Ensure the agent mode indicator in the site navigation bar displays Not blocking. In this mode, the agent logs requests but does not block anything. If the agent mode indicator displays Blocking or Off, update the behavior by clicking the agent mode indicator and then clicking Manage.

4. Using command prompt, enter cd nikto-master/program/ to change directories to the program directory.

5. In a command prompt, run the following command to initiate the first Nikto scan of your site:

   $ ./nikto.pl -h http://www.example.com

While the attack is running, navigate to the Site Overview page in the Next-Gen WAF console and select the Overview dashboard from the dashboards menu. The Overview dashboard will display the attacks and anomalies within 30 seconds.

Testing attack detection

After verifying that attack tooling has been detected, you can use Nikto to modify an attack to demonstrate an IP address being flagged due to injection attacks. You can do this by modifying the User-Agent string that is sent with each request.

To run this test:

1. Log in to the Next-Gen WAF console.
2. From the Sites menu, select a site if you have more than one site.

3. From the Events card, click View next to the IP address associated with the Nikto scanner host.

4. Click Remove flag now on the flagged IP address and then Remove flag.

5. Using command prompt, enter cd nikto-master/program/ to change directories to the program directory.

6. Run the following command to initiate the Nikto scan:

   $ ./nikto.pl -useragent “MyAgent (Demo/1.0)” -h http://www.example.com

While the attack is running, return to the Site Overview page in the Next-Gen WAF console and select the Overview dashboard from the dashboards menu. The Overview dashboard will display the attacks and anomalies within 30 seconds. Unlike in the previous test, you should see signals from a variety of attacks, not just attack tooling. This means modifying the User-Agent string worked and the IP address will eventually be flagged based on the various attacks.

Testing attack blocking

Next-Gen WAF lets you take a different approach to blocking compared to other products. Instead of being limited to blocking individual requests that match a particular signature, you can implement threshold-based blocking. With threshold-based blocking, we look for spikes in malicious traffic from a particular IP (aggregated across all of our agents) and flag that IP if it exceeds specific thresholds in a 1, 10, or 60 minute window. Once an IP is flagged, we block all malicious traffic from that IP. Traffic is blocked for a default 24 hours. You can use site alerts to adjust the thresholds and decrease the blocking time period. During the blocking time period, requests that don’t contain an attack will be allowed, preventing Signal Sciences from breaking normal traffic.

For the final test, enable blocking mode and use Nikto to demonstrate how to allow legitimate traffic to continue accessing the site while blocking malicious traffic from the same IP address. To perform this test, you will need to use a web browser that is on the same system you are running the scan from.

To run this test:

1. Log in to the Next-Gen WAF console.
2. From the Sites menu, select a site if you have more than one site.

3. Click on the agent mode indicator in the site navigation bar and click Manage.

4. Update the agent behavior to Blocking.

5. Click Update.

6. In a browser, access your website.

7. Using command prompt, enter cd nikto-master/program/ to change directories to the program directory.

8. Run the following command to initiate the Nikto scan:

   $ ./nikto.pl -useragent “MyAgent (Demo/1.0)” -D V -T 9 -h http://www.example.com

While the scan is running:

• use the browser window to navigate your site to confirm that legitimate user traffic is not blocked.
• observe from the command shell window that requests containing attacks are blocked with a 406 response code. An HTTP 406 is used so as to not trigger operational alarms as a 500 or 404 would. Additionally, by using a unique code like 406, you can customize the error message that the server returns.

Repeat the scan as many times as desired.

You can also manually verify blocking by visiting your site with a malicious payload (e.g., https://www.example.com/?q=<script>alert('xss')</script>).