CN-121727861-B - WAF defense capability test method and device based on protocol analysis difference

Abstract

The invention discloses a WAF defense capability test method and device based on protocol analysis difference, and relates to the technical field of network security. The method comprises the steps of constructing a protocol variation verification test case, generating a variation test message containing non-standard protocol characteristics and verification load, respectively sending the variation test message to the rear end through a test link and a reference link, and accurately judging that WAF is in a state of interception success, bypass or repair bypass through comparing response fingerprints with expected results. The invention can realize comprehensive and automatic evaluation of the WAF protocol layer defensive ability.

Inventors

• CHEN JUNXIAN
• CUI QIN
• Chang Mingzheng
• LEI YANG
• LIANG JIAMING
• ZHU WENLEI
• YANG KUN
• YU HUIYING
• LIU JINZHAO
• XU PENGZHI

Assignees

• 北京长亭科技有限公司

Dates

Publication Date

20260505

Application Date

20260211

Claims (10)

1. 1. The WAF defensive capability test method based on protocol analysis difference is characterized by comprising the following steps: Constructing a protocol mutation verification test case which encapsulates at least one protocol mutation operator and a verification load, wherein the verification load comprises an attack instruction with a deterministic predictable result; Reconstructing the protocol layer grammar of the original service request message through the protocol variation verification test case to generate a variation test message containing at least one non-standard protocol feature and verification load, and pre-calculating to obtain an expected result of the verification load; The variant test message is sent to a back-end test server through a test link protected by a target WAF and a reference link bypassing the target WAF respectively; Response information from the test link and the reference link is received, response fingerprints are extracted from the response information, and matching comparison is carried out on the expected results of the verification load and the response fingerprints of the test link and the reference link respectively, so that matching comparison results of the two links are obtained; Judging the effectiveness of a sample through a matching comparison result of a reference link, and judging the defending state of the target WAF in the test link through the effectiveness of the sample and the matching comparison result of the test link.
2. 2. The method for testing WAF defensive ability based on protocol parsing difference according to claim 1, wherein the step of reconstructing protocol layer syntax of an original service request message comprises one or more of the following modes: non-standardized rewriting of assignment grammar is carried out on key values in an original service request message; Non-standardized rewriting is carried out on a protocol version or a request method of a request line in an original service request message; Replacing the line ending symbol of the original service request message paragraph; injecting redundant data in the initial position of the request head or the request body of the original service request message; constructing a message field containing repeated or conflicting semantics for an original service request message.
3. 3. The method for testing WAF defensive power based on protocol resolution difference as recited in claim 1, wherein the verification payload comprises one or more of the following attack instructions: An instruction for triggering command execution to generate an expected result after encoding the random string; The method comprises the steps of triggering an SQL injection instruction to generate an expected result after hashing a specific input; instructions for triggering file upload to generate a particular file fingerprint that may be obtained by a subsequent association request.
4. 4. The method of claim 1, wherein the reference link is configured to poll tests in a plurality of heterogeneous middleware environments to determine the validity of the variant test message in different middleware environments.
5. 5. The WAF defensive ability test method based on protocol parsing difference according to claim 1, further comprising: Based on the judgment result of the defending state of the target WAF, automatically identifying the protocol variation operation causing the defending failure of the WAF and generating a WAF defending capability assessment report; the WAF defense capability evaluation report comprises a reason for WAF defense failure caused by protocol variation operation, a network data packet containing all protocol variation operation and verification load and proof data of WAF defense failure.
6. 6. The WAF defensive ability test method based on protocol analysis difference according to claim 1, wherein the step of judging validity of the sample through the matching comparison result of the reference link comprises: if the response fingerprint of the reference link does not match the expected result of the verification load and the response fingerprint belongs to a protocol rejection diagnosis state, marking the variation test message as an environment unsuitable sample; If the response fingerprint of the reference link does not match the expected result of the verification load and the response fingerprint does not belong to a protocol rejection diagnosis state, marking the variant test message as a load semantic impairment sample, and removing from subsequent judgment; And if the response fingerprint of the reference link matches the expected result of the verification load, marking the variant test message as a valid sample.
7. 7. The method for testing the defense capacity of the WAF based on the protocol analysis difference according to claim 6, wherein the step of determining the defense state of the target WAF in the test link by the result of the matching comparison of the validity of the sample and the test link comprises: If the variation test message is an effective sample and the response fingerprint of the test link does not match the expected result of the verification load, judging that the target WAF is in an interception success state; If the variation test message is a valid sample and the response fingerprint of the test link matches the expected result of the verification load, the target WAF is judged to be in a bypass state, if the valid sample is verified to be valid in a reference link formed by at least two different types of heterogeneous middleware environments, the bypass state is further judged to be in a universal protocol bypass state, if the valid sample is verified to be valid only in a reference link formed by one type of heterogeneous middleware environment, the bypass state is further judged to be in a specific environment dependent bypass state; If the variant test message is an environment-unadapted sample and the response fingerprint of the test link matches the expected result of the verification load, the target WAF is determined to be in a repair bypass state.
8. 8. A WAF defensive ability test apparatus based on protocol parsing difference, comprising: the test case construction module is used for constructing a protocol variation verification test case which encapsulates at least one protocol variation operator and a verification load, wherein the verification load comprises an attack instruction with a deterministic and predictable result; The protocol variation module is used for reconstructing the protocol layer grammar of the original service request message through the protocol variation verification test case, generating a variation test message containing at least one non-standard protocol feature and verification load, and pre-calculating to obtain the expected result of the verification load; the differential detection module is used for sending the variation test message to a back-end test server through a test link protected by the target WAF and a reference link bypassing the target WAF respectively; the response matching and comparing module is used for receiving response information from the test link and the reference link, extracting response fingerprints from the response information, and matching and comparing the expected result of the verification load with the response fingerprints of the test link and the reference link respectively to obtain matching and comparing results of the two links; and the judging module is used for judging the validity of the sample through the matching comparison result of the reference link, and judging the defending state of the target WAF in the test link through the validity of the sample and the matching comparison result of the test link.
9. 9. The WAF defensive capability test apparatus based on protocol resolution difference as recited in claim 8, wherein the determining module is further configured to: if the response fingerprint of the reference link does not match the expected result of the verification load and the response fingerprint belongs to a protocol rejection diagnosis state, marking the variation test message as an environment unsuitable sample; If the response fingerprint of the reference link does not match the expected result of the verification load and the response fingerprint does not belong to a protocol rejection diagnosis state, marking the variant test message as a load semantic impairment sample, and removing from subsequent judgment; And if the response fingerprint of the reference link matches the expected result of the verification load, marking the variant test message as a valid sample.
10. 10. The WAF defensive capability test apparatus based on protocol resolution difference as recited in claim 9, wherein the determining module is further configured to: If the variation test message is an effective sample and the response fingerprint of the test link does not match the expected result of the verification load, judging that the target WAF is in an interception success state; If the variation test message is a valid sample and the response fingerprint of the test link matches the expected result of the verification load, the target WAF is judged to be in a bypass state, if the valid sample is verified to be valid in a reference link formed by at least two different types of heterogeneous middleware environments, the bypass state is further judged to be in a universal protocol bypass state, if the valid sample is verified to be valid only in a reference link formed by one type of heterogeneous middleware environment, the bypass state is further judged to be in a specific environment dependent bypass state; If the variant test message is an environment-unadapted sample and the response fingerprint of the test link matches the expected result of the verification load, the target WAF is determined to be in a repair bypass state.

Description

WAF defense capability test method and device based on protocol analysis difference Technical Field The invention relates to the technical field of network security, in particular to a WAF defense capability test method and device based on protocol analysis difference. Background With the rapid development of internet technology, attack means of Web applications are increasingly complex and variable. Web Application Firewalls (WAFs), which are widely deployed at network boundaries as the first line of defense to protect backend servers, identify and intercept malicious requests by parsing HTTP/HTTPs traffic and using preset rules or models. At present, verification of WAF defense effectiveness mainly depends on two technical means, namely a black box test based on a vulnerability scanning tool, namely, an Xray, an AWVS and other tools are utilized to send attack loads to a WAF protected target to observe whether the attack loads are intercepted or scanned out, and a fuzzy test aiming at specific attack loads is carried out, and character-level variation such as URL coding, base64 coding, case-case transformation and the like is carried out on the loads to test the recognition capability of the WAF on the confusion attack. However, the prior art has a significant limitation that firstly, the testing dimension is concentrated on the variation of the attack load content, and the possible difference between the HTTP protocol encapsulation and the resolution level is seriously ignored. The HTTP protocol is complex in standard, and when implementing parsing logic, different Web servers have different fault tolerance mechanisms for nonstandard or ambiguous messages. If the analysis logic of the protocol analysis engine of the WAF is inconsistent with that of the back-end server, an attacker can construct a bypass message which cannot be identified by the WAF but is successfully analyzed and executed by the server only by slightly changing the protocol header, the boundary sign or the version number, and the existing tool lacks the capability of detecting the semantic inconsistency of the protocol layer. Secondly, most of the existing verification methods are unidirectional packet-sending detection, HTTP status codes are seriously relied on as criteria for interception or not, but under a complex scene, HTTP status codes are deceptive, the situation that the server analyzes false bypass of breakdown and true bypass of real trigger execution after WAF is released cannot be distinguished, and new security risks caused by performance optimization or protocol standardization cleaning of WAF are more difficult to accurately attribute. Finally, the failure of the traditional single link test mode can not effectively distinguish whether the attack failure is caused by the fact that the WAF defense is effective or the test sample is incompatible with the environment, so that the signal to noise ratio of the test result is low, and the bypass loopholes depending on the specific middleware environment are difficult to find. In summary, the existing WAF verification technology has systematic defects in terms of protocol layer test, attribution accuracy, environmental coverage and risk identification, and is difficult to meet the requirements of automatic, systematic and precise evaluation on the modern WAF defense capability. Disclosure of Invention In view of the above-mentioned drawbacks or shortcomings in the prior art, the present invention provides a method and an apparatus for testing the WAF defense capability based on the protocol parsing difference, by automatically generating a large number of test requests with subtle deformities in the protocol format but carrying malicious codes, and respectively sending the test requests to a test server protected by the WAF and a directly exposed test server for performing difference comparison of response results, it can be precisely determined whether the WAF has a security vulnerability caused by inconsistent protocol parsing logic and a back-end server, and whether the WAF itself can promote attack behavior due to repairing malformed messages. The invention can find the deep security risk which is difficult to detect in the past and realize the comprehensive assessment of WAF defensive ability. The invention provides a WAF defensive capability test method based on protocol analysis difference, which comprises the following steps: Constructing a protocol mutation verification test case which encapsulates at least one protocol mutation operator and a verification load, wherein the verification load comprises an attack instruction with a deterministic predictable result; Reconstructing the protocol layer grammar of the original service request message through the protocol variation verification test case to generate a variation test message containing at least one non-standard protocol feature and verification load, and pre-calculating to obtain an expected result of the verif