In recent years, the concept of a third-party, firewall-like layer of protection for web applications has been gaining traction in the data center. Today, these so-called web application firewalls (WAFs) and database firewalls are sold by many vendors, all promising to catch malicious input before it reaches the web application behind them. While this promise looks good in a high-level whitepaper, the reality can turn out quite different: WAFs are a catch-all; since they are not tailored to each and every web application’s particular set of input constraints, the “protection” they offer is limited to common attack strings. Tailoring a WAF’s input protection against a attacks against specific web applications quickly escalates into a cat-and-mouse game of updating signatures and renewing WAF licensing. Worse, WAFs often carry their own vulnerabilities, thus increasing a hacker’s attack surface.
For the information security professional trying to audit the web application, bypassing the WAF to reach the application represents an additional burden. If one can remove this burden in an automated way, then the process of auditing a web application becomes much more straightforward.
Recently, I became involved with an OWASP project aiming to do just that. Our Python-based tool, Bywaf, has been patterned after and works much like Metasploit, with a command interpreter (the “Wafterpreter”) and plugins that provide most of Bywaf’s functionality.
Here’s what I like particularly about this project:
- It’s user-friendly, with tab-completion ;
- The core interpreter is small, at under a thousand lines, but already includes lots of functionality for both the user and the plugin developer;
- The architecture of the frameworks makes extending the interpreter and writing plugins a simple and quick;
- It’s compatible with Python2 and Python3; and
- It’s adheres to the Python Style Guide described in PEP-8.
With momentum around this project growing, Bywaf has a lot of things going for it. We expect our first release shortly, and are actively seeking volunteers to help with plugin development. The project’s code repository and documentation can be found at https://github.com/depasonico/bywaf-owasp
Shameless plug: I am also seeking developmental assistance with my own scripts for parsing, querying and making OpenOffice tables from Nessus and NMap results. These have seen development for many years now, and are quite mature. They are located here: https://github.com/roeyk/nessus-report and https://github.com/roeyk/nmap-report, respectively.