MCPcopy
hub / github.com/wallarm/gotestwaf

github.com/wallarm/gotestwaf @v0.5.8 sqlite

repository ↗ · DeepWiki ↗ · release v0.5.8 ↗
502 symbols 1,467 edges 103 files 127 documented · 25%
README

GoTestWAF Black Hat Arsenal USA 2022

GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, SOAP, XMLRPC, and others.

It was designed to evaluate web application security solutions, such as API security proxies, Web Application Firewalls, IPS, API gateways, and others.



How it works

GoTestWAF generates malicious requests using encoded payloads placed in different parts of HTTP requests: its body, headers, URL parameters, etc. Generated requests are sent to the application security solution URL specified during GoTestWAF launch. The results of the security solution evaluation are recorded in the report file created on your machine.

Default conditions for request generation are defined in the testcases folder in the YAML files of the following format:

payload:
  - '"union select -7431.1, name, @aaa from u_base--w-'
  - "'or 123.22=123.22"
  - "' waitfor delay '00:00:10'--"
  - "')) or pg_sleep(5)--"
encoder:
  - Base64Flat
  - URL
placeholder:
  - UrlPath
  - UrlParam
  - JSUnicode
  - Header
type: SQL Injection
  • payload is a malicious attack sample (e.g XSS payload like <script>alert(111)</script> or something more sophisticated). Since the format of the YAML string is required for payloads, they must be encoded as binary data.

  • encoder is an encoder to be applied to the payload before placing it to the HTTP request. Possible encoders are:

    • Base64
    • Base64Flat
    • JSUnicode
    • URL
    • Plain (to keep the payload string as-is)
    • XML Entity
  • placeholder is a place inside HTTP request where encoded payload should be. Possible placeholders are:

    • gRPC
    • Header
    • UserAgent
    • RequestBody
    • JSONRequest
    • JSONBody
    • HTMLForm
    • HTMLMultipartForm
    • SOAPBody
    • XMLBody
    • URLParam
    • URLPath
    • RawRequest

    The RawRequest placeholder will allow you to do an arbitrary HTTP request. The payload is substituted by replacing the string {{payload}} in the URL path, Headers or body. Fields of RawRequest placeholder:

    • method
    • path
    • headers
    • body

    Required fields for RawRequest placeholder:

    • method field

    Example:

    ```yaml payload: - test encoder: - Plain placeholder: - RawRequest: method: "POST" path: "/" headers: Content-Type: "multipart/form-data; boundary=boundary" body: | --boundary Content-disposition: form-data; name="field1"

        Test
        --boundary
        Content-disposition: form-data; name="field2"
        Content-Type: text/plain; charset=utf-7
    
        Knock knock.
        {{payload}}
        --boundary--
    

    type: RawRequest test ```

  • type is a name of entire group of the payloads in file. It can be arbitrary, but should reflect the type of attacks in the file.

Request generation is a three-step process involving the multiplication of payload amount by encoder and placeholder amounts. Let's say you defined 2 payloads, 3 encoders (Base64, JSUnicode, and URL) and 1 placeholder (URLParameter - HTTP GET parameter). In this case, GoTestWAF will send 2x3x1 = 6 requests in a test case.

During GoTestWAF launch, you can also choose test cases between two embedded: OWASP Top-10, OWASP-API, or your own (by using the configuration option testCasePath).

Requirements

  • GoTestwaf supports all the popular operating systems (Linux, Windows, macOS), and can be built natively if Go is installed in the system. If you want to run GoTestWaf natively, make sure you have the Chrome web browser to be able to generate PDF reports. In case you don't have Chrome, you can create a report in HTML format.
  • If running GoTestWAF as the Docker container, please ensure you have installed and configured Docker, and GoTestWAF and evaluated application security solution are connected to the same Docker network.
  • For GoTestWAF to be successfully started, please ensure the IP address of the machine running GoTestWAF is whitelisted on the machine running the application security solution.

Quick start with Docker

The steps below walk through downloading and starting GoTestWAF with minimal configuration on Docker.

  1. Pull the GoTestWAF image from Docker Hub:

    docker pull wallarm/gotestwaf

  2. Start the GoTestWAF image:

    sh docker run --rm --network="host" -it -v ${PWD}/reports:/app/reports \ wallarm/gotestwaf --url=<EVALUATED_SECURITY_SOLUTION_URL>

    If required, you can replace ${PWD}/reports with the path to another folder used to place the evaluation report.

    If you don't want to optionally email the report, just press Enter after the email request message appears, or you can use --noEmailReport to skip the message:

    sh docker run --rm --network="host" -v ${PWD}/reports:/app/reports \ wallarm/gotestwaf --url=<EVALUATED_SECURITY_SOLUTION_URL> --noEmailReport

    If the evaluated security tool is available externally, you can skip the option --network="host". This option enables interaction of Docker containers running on 127.0.0.1.

    To perform the gRPC tests you must have a working endpoint and use the --grpcPort cli option.

    sh docker run --rm --network="host" -it -v ${PWD}/reports:/app/reports \ wallarm/gotestwaf --grpcPort 9000 --url=http://my.grpc.endpoint

  3. Check your email for the report.

You have successfully evaluated your application security solution by using GoTestWAF with minimal configuration. To learn advanced configuration options, please use this link.

Checking the evaluation results

Check the evaluation results logged using the STDOUT and STDERR services. For example:

``` INFO[0000] GoTestWAF started version=v0.5.6-7-g48e6959 INFO[0000] Test cases loading started
INFO[0000] Test cases loading finished
INFO[0000] Test cases fingerprint fp=c6d14d6138601d19d215bb97806bcda3 INFO[0000] Try to identify WAF solution
INFO[0000] WAF was not identified
INFO[0000] gohttp is used as an HTTP client to make requests http_client=gohttp INFO[0000] WAF pre-check url="http://host.docker.internal:8080" INFO[0000] WAF pre-check blocked=true code=403 status=done INFO[0000] gRPC pre-check status=started INFO[0000] gRPC pre-check connection="not available" status=done INFO[0000] GraphQL pre-check status=started INFO[0000] GraphQL pre-check connection="not available" status=done INFO[0000] Scanning started url="http://host.docker.internal:8080" INFO[0005] Scanning finished duration=5.422700876s
True-Positive Tests: ┌────────────┬───────────────────────────┬──────────────────────┬─────────────────────┬──────────────────────┬────────────────────┬─────────────┬─────────────────┐ │ TEST SET │ TEST CASE │ PERCENTAGE , % │ BLOCKED │ BYPASSED │ UNRESOLVED │ SENT │ FAILED │ ├────────────┼───────────────────────────┼──────────────────────┼─────────────────────┼──────────────────────┼────────────────────┼─────────────┼─────────────────┤ │ community │ community-128kb-rce │ 0.00 │ 0 │ 0 │ 1 │ 1 │ 0 │ │ community │ community-128kb-sqli │ 0.00 │ 0 │ 0 │ 1 │ 1 │ 0 │ │ community │ community-128kb-xss │ 0.00 │ 0 │ 0 │ 1 │ 1 │ 0 │ │ community │ community-16kb-rce │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-16kb-sqli │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-16kb-xss │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-32kb-rce │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-32kb-sqli │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-32kb-xss │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-64kb-rce │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-64kb-sqli │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-64kb-xss │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-8kb-rce │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-8kb-sqli │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-8kb-xss │ 100.00 │ 1 │ 0 │ 0 │ 1 │ 0 │ │ community │ community-lfi │ 100.00 │ 8 │ 0 │ 0 │ 8 │ 0 │ │ community │ community-lfi-multipart │ 0.00 │ 0 │ 0 │ 2 │ 2 │ 0 │ │ community │ community-rce │ 50.00 │ 2 │ 2 │ 0 │ 4 │ 0 │ │ community │ community-rce-rawrequests │ 100.00 │ 3 │ 0 │ 0 │ 3 │ 0 │ │ community │ community-sqli │ 100.00 │ 12 │ 0 │ 0 │ 12 │ 0 │ │ community │ community-user-agent │ 66.67 │ 6 │ 3 │ 0 │ 9 │ 0 │ │ community │ community-xss │ 88.46 │ 92 │ 12 │ 0 │ 104 │ 0 │ │ community │ community-xxe │ 0.00 │ 0 │ 1 │ 1 │ 2 │ 0 │ │ owasp │ crlf │ 85.71 │ 6 │ 1 │ 0 │ 7 │ 0 │ │ owasp │ ldap-injection │ 8.33 │ 2 │ 22 │ 0 │ 24 │ 0 │ │ owasp │ mail-injection │ 12.50 │ 3 │ 21 │ 0 │ 24 │ 0 │ │ owasp │ nosql-injection │ 24.00 │ 12 │ 38 │ 0 │ 50 │ 0 │ │ owasp │ path-traversal │ 30.00 │ 6 │ 14 │ 0 │ 20 │ 0 │ │ owasp │ rce │ 33.33 │ 2 │ 4 │ 0 │ 6 │ 0 │ │ owasp │ rce-urlparam │ 33.33 │ 3 │ 6 │ 0 │ 9 │ 0 │ │ owasp │ rce-urlpath │ 0.00 │ 0 │ 3 │ 0 │ 3 │ 0 │ │ owasp │ shell-injection │ 18.75 │ 6 │ 26 │ 0 │ 32 │ 0 │ │ owasp │ sql-injection │ 29.17 │ 14 │ 34 │ 0

Extension points exported contracts — how you extend this code

Placeholder (Interface)
(no doc) [14 implementers]
internal/payload/placeholder/placeholder.go
Hash (Interface)
(no doc) [4 implementers]
internal/helpers/hash.go
Request (Interface)
Request interface represents either GoHTTPRequest or ChromeDPTasks. [2 implementers]
internal/scanner/types/request.go
Integer (Interface)
(no doc)
internal/db/helpers.go
Encoder (Interface)
(no doc) [5 implementers]
internal/payload/encoder/encoder.go
Response (Interface)
Response interface contains general methods for retrieving response info. [2 implementers]
internal/scanner/types/response.go
Float (Interface)
(no doc)
internal/db/helpers.go
PlaceholderConfig (Interface)
(no doc)
internal/payload/placeholder/placeholder.go

Core symbols most depended-on inside this repo

String
called by 48
internal/scanner/types/clients.go
Close
called by 32
internal/scanner/clients/clients.go
CheckContent
called by 16
internal/scanner/waf_detector/detectors/checks.go
GetName
called by 15
internal/payload/encoder/encoder.go
getGrade
called by 15
internal/report/html.go
computeGrade
called by 15
internal/report/html.go
CheckCookie
called by 13
internal/scanner/waf_detector/detectors/checks.go
CalculatePercentage
called by 13
internal/db/helpers.go

Shape

Method 204
Function 189
Struct 86
Interface 15
TypeAlias 5
FuncType 3

Languages

Go100%

Modules by API surface

internal/scanner/scanner.go19 symbols
internal/scanner/types/response.go18 symbols
internal/payload/placeholder/grpc/service.pb.go18 symbols
internal/db/statistics.go16 symbols
internal/payload/placeholder/grpc/service_grpc.pb.go15 symbols
internal/db/statistics_test.go15 symbols
internal/scanner/clients/clients.go12 symbols
tests/integration/waf/placeholder.go11 symbols
tests/integration/config/config.go10 symbols
internal/report/json.go10 symbols
pkg/report/validator.go9 symbols
internal/scanner/waf_detector/detectors/checks.go9 symbols

Dependencies from manifests, versioned

github.com/chromedp/cdprotov0.0.0-2025070621232 · 1×
github.com/chromedp/sysutilv1.1.0 · 1×
github.com/clbanning/mxjv1.8.4 · 1×
github.com/fsnotify/fsnotifyv1.9.0 · 1×
github.com/gabriel-vasile/mimetypev1.4.9 · 1×
github.com/go-json-experiment/jsonv0.0.0-2025062617173 · 1×
github.com/go-openapi/jsonpointerv0.21.1 · 1×
github.com/go-openapi/swagv0.23.1 · 1×

For agents

$ claude mcp add gotestwaf \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact