ftw v1.2.0 releases: Framework for Testing WAFs

Framework for Testing WAFs (FTW)


This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules. Users can verify the execution of the rule after the tests are issued to make sure the expected response is received from an attack.

Goals / Use cases include:

  • Find regressions in WAF deployments by using continuous integration and issuing repeatable attacks to a WAF
  • Provide a testing framework for new rules into ModSecurity, if a rule is submitted it MUST have corresponding positive & negative tests
  • Evaluate WAFs against a common, agreeable baseline ruleset (OWASP)
  • Test and verify custom rules for WAFs that are not part of the core rule set

This project, jointly developed by the OWASP Core Rule Set community along with security researchers from Fastly, was designed to extend far beyond regression testing for OWASP CRS. The following are just some of the design criteria for this project

  • Support the creation of HTTP requests both compliant with  the HTTP specification and non-compliant with it
  • Be modular enough that any WAF could easily be tested
  • Be able to pass malicious requests that often violate HTTP spec
  • Be user-friendly and easy to write test cases
  • Provide a programmatic interface for more advanced test cases
  • Use an existing heavily used scripting language
  • Use existing libraries and code where possible
  • Serve as a regression testing framework for the OWASP CRS 3.0
  • Provide the capability to run tests against other WAFs to compare the effectiveness
  • Provide modular support for logging endpoints
  • Build a continuous integration platform to insert security and regression testing behind deploying a WAF


git clone https://github.com/CRS-support/ftw.git
cd ftw
virtualenv env && source ./env/bin/activate
pip install -r requirements.txt
py.test -s -v test/test_default.py --ruledir=test/yaml

Provisioning Apache+Modsecurity+OWASP CRS

If you require an environment for testing WAF rules, there has been one created with Apache, Modsecurity and version 3.0.0 of the OWASP core ruleset. This can be deployed by:

  • Checking out the repository: git clone https://github.com/fastly/waf_testbed.git
  • Typing vagrant up


Copyright 2016 Chaim Sanders

Source: https://github.com/CRS-support/

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services