概述

WAF Rule Validator Skill

Purpose

WAF Rule Validator 是一个用于评估 Web 应用安全解决方案（WAF、API 网关、IPS）的工具。它通过生成恶意请求来测试安全防护规则的有效性，支持 REST、GraphQL、gRPC、SOAP、XMLRPC 等多种 API 协议。

When to Activate

When user needs to test WAF rule effectiveness
When running security validation against web application firewalls
When evaluating API gateway security protections
When performing penetration testing on WAF deployments
When benchmarking WAF block rate performance

Features

Multi-protocol support: REST, GraphQL, gRPC, SOAP, XMLRPC
Multiple encoding methods: Base64, URL, JSUnicode, Plain, XML Entity
Multiple injection points: URL path, URL params, headers, body, JSON, HTML form
OpenAPI integration: Generate request templates from OpenAPI specs
Automatic WAF detection: Identifies Akamai, F5, Imperva, ModSecurity and more
Multiple report formats: PDF, HTML, JSON, DOCX assessment reports

Workflow

Build

Build the Go binary:

```bash

make gotestwaf_bin

# or

go build -o gotestwaf ./cmd/gotestwaf

```

Basic Scanning

Run a basic scan against target:

```bash

./gotestwaf --url=http://target-url --noEmailReport

```

Advanced Usage

For specific protocols or configurations:

gRPC testing: --grpcPort 9000
OpenAPI: --openapiFile api.yaml
Custom test cases: --testCasesPath ./custom-testcases

Analyze Results

Review the generated report in reports/ directory

Test Case Format

Test cases are defined in YAML:

payload:
  - "malicious string 1"
  - "malicious string 2"
encoder:
  - Base64Flat
  - URL
placeholder:
  - URLPath
  - JSONRequest
type: SQL Injection

Each file generates len(payload) × len(encoder) × len(placeholder) test requests.

Supported Encoders

Encoder	Description
---------	-------------
Base64	Base64 encoding
Base64Flat	Base64 without padding
URL	URL encoding
JSUnicode	JavaScript Unicode encoding
Plain	No encoding
XML Entity	XML entity encoding

Supported Placeholders

Placeholder	Description
-------------	-------------
URLPath	URL path
URLParam	URL parameter
Header	HTTP header
UserAgent	User-Agent header
RequestBody	Request body
JSONBody	JSON request body
JSONRequest	JSON request
HTMLForm	HTML form
HTMLMultipartForm	Multipart form
SOAPBody	SOAP message body
XMLBody	XML request body
gRPC	gRPC request
GraphQL	GraphQL request
RawRequest	Raw HTTP request

Configuration Options

--url string              Target URL (required)
--grpcPort uint16         gRPC port
--graphqlURL string       GraphQL URL
--openapiFile string      OpenAPI spec file path
--testCasesPath string    Test cases directory (default: "testcases")
--testCase string         Run only specified test case
--testSet string          Run only specified test set
--httpClient string       HTTP client type: chrome, gohttp (default: "gohttp")
--workers int             Concurrent workers (default: 5)
--blockStatusCodes ints   HTTP status codes for blocked requests (default: [403])
--passStatusCodes ints    HTTP status codes for passed requests (default: [200,404])
--blockRegex string       Regex to identify blocked responses
--passRegex string        Regex to identify passed responses
--reportFormat strings    Report format: none, json, html, pdf, docx (default: [pdf])
--reportPath string       Report output directory (default: "reports")
--reportName string       Report filename
--noEmailReport           Save report locally instead of sending email
--wafName string          WAF product name (default: "generic")
--skipWAFIdentification   Skip WAF detection
--version                 Show version information

Examples

Basic scan

./gotestwaf --url=http://localhost:8080 --noEmailReport

gRPC testing

./gotestwaf --url=http://localhost --grpcPort 9000 --noEmailReport

OpenAPI driven testing

./gotestwaf --url=http://api.example.com --openapiFile ./api.yaml --noEmailReport

Docker usage

docker pull wallarm/gotestwaf
docker run --rm --network="host" -v ${PWD}/reports:/app/reports \
    wallarm/gotestwaf --url=http://target-url --noEmailReport

Requirements

Go 1.24+
Chrome browser (optional, for PDF report generation)

Project Structure

.
├── cmd/gotestwaf/          # Main entry point
├── internal/
│   ├── config/             # Configuration management
│   ├── db/                 # Test case database
│   ├── payload/            # Payload encoding
│   │   ├── encoder/        # Encoder implementations
│   │   └── placeholder/    # Placeholder implementations
│   ├── scanner/            # Scanning logic and clients
│   ├── openapi/            # OpenAPI parser
│   └── report/             # Report generation
├── pkg/                    # Exported packages
├── testcases/              # Default test cases
└── tests/integration/      # Integration tests

Notes

This project is based on GoTestWAF from Wallarm
Test cases in testcases/owasp/ are true-positive (should be blocked)
Test cases in testcases/false-pos/ are true-negative (should pass)
Reports are saved to reports/ directory by default

License

MIT License - based on the original GoTestWAF project.

版本历史

共 1 个版本

v1.0.4 Initial release 当前

2026-04-04 22:47 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)