WAF RULE TESTING (LOCAL FILE INCLUSION VULNERABILITY)

In this blog, we will be testing Local File Inclusion (LFI) vulnerability on vulnerable application with OWASP CRS & CWAF Ruleset 1.127 (latest version).

Test Scenario

1. Testing LFI attack with OWASP CRS

Include the OWASP CRS on apache config:
Filename: REQUEST-930-APPLICATION-ATTACK-LFI
PARANOIA_LEVEL:1
Rule ID: 930100,930110,930120,930130

Test these following payloads on the xvwa vulnerable application for Local File Inclusion (LFI) attack.

  /var/mail/www-data
  /etc/network/* i.e /etc/network/interfaces
  /etc/init/* i.e /etc/init/anacron.conf

As a result, OWASP CRS failed to block the user from accessing the above sensitive path or file, but it block almost ever major LFI attacks.Check the demo video to have clear understading.

2. Testing LFI attack on CWAF Ruleset:

Include the CWAF ruleset on apache config:

Test these following payloads on the xvwa vulnerable application for Local File Inclusion (LFI) attack.

  /var/mail/www-data
  /usr/share/apache2/* i.e /usr/share/apache2/build/config.nice
  /usr/share/php5/mysql/mysql.ini

As a resut, CWAF failed to block the user from accessing the above sensitive path or file, but it block all other LFI attack on application and it show FP on LFI payloads. Check the demo video to have clear understading.

Demo Video

Reference

  1. Modsecurity
  2. Kali
  3. Debuggex
  4. OWASP Mutillidae Vulnerable App
  5. XVWA