Attendees at Black Hat USA have learned that the popular open-source hacking tool GoTestWAF has developed into the first utility of its kind to assess API security platforms.

The security testing tool, which was introduced in April 2020, mimics OWASP and API exploits to evaluate the ability of web application firewalls (WAFs), NGWAFs, RASPs, WAAPs, and, now, API security tools, to detect attacks.

REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, and older APIs are all supported.

Brandon Shope, a chief security engineer at Wallarm, informed delegates at his Arsenal session yesterday that OpenAPI-based scanning has been implemented “so you can scan exactly what is described in your API spec during the attack simulation” (August 11).

The GoTestWAF GitHub repository explains how OpenAPI (formerly Swagger) file scans operate, which OpenAPI features are supported, and how “GoTestWAF creates valid requests based on the application’s API description in the OpenAPI 3.0 format” rather than “constructing requests that are simple in structure and sending them to the URL specified at startup.”

More attack types are incoming

A daemon for CI/CD pipelines with API and server mode, as well as support for other attack types like Java, Python, and.NET serialization assaults, are further new features that are presently under development, according to Shope.

GoTestWAF creates malicious requests by inserting encoded payloads into various HTTP request sections. The statistics show how many and what proportion of path traversal, shell injection, cross-site scripting (XSS), and other attack types the security tool was able to prevent.

Shope claimed that GoTestWAF gives scan findings in a “readable, neatly formatted PDF” and compares them to ModSec as a benchmark. Before Shope’s presentation, Wallarm CEO Ivan Novikov called this a “very essential” feature.

Given WAFs’ reputation for producing false positives, which the API security company claims frequently occupy users at the price of testing false negative rates, Wallarm views testing for false negatives and positives as being of utmost importance.

Community payloads

The Las Vegas conference also emphasized community payloads, dockerization, multiple “nested” encoding support, codeless checks with YAML files, and many “nested” encodings.

The tool’s appeal is significantly influenced by community support, according to Novikov, who cited community test cases that were reported by researchers from the Vulners team of the security intelligence search engine “and then supported by others.”

According to Novikov, GoTestWAF is already “used around 100 times a week” and “approximately five enterprise businesses” enquire about it during sales and marketing conversations.

Last month, Wallarm released a free Online WAF tester for the tool.