WAF Rules Discovery Technology For Web Security Detection

Nowadays WAF(Web Application Firewall)is used more and more widely.It is able to prevent attack on Web appliation and satisfy the standard at the third level for classified protection of information system.The test of the WAF's ability of keeping security is needed for the organization at the third level for classified protection of information system.Too many human resources will be used if people detect WAF rules manually.So the paper presents a method that could automatically detect WAF rules.Then it designs and implements a system of WAF rules auto detection that could get the effective WAF rules automatically and improve the performance of testing the WAF's ability.The key technologies of the detection of WAF rules include computing similarities between responses,MEF(Minimum Element First),detection of effective combination of characters based on dichotomy algorithm,character testing tree and design of payloads.Multidimensional comparisons are used while computing the similarity between responses including comparing if they are stopped,comparing their response status code and computing the similarity between their contents.The similarity is needed for dividing the WAF's response and normal response.MEF is called Zui Xiao Yuan Su You Xian Fa in Chinese,which solves the problem finding all the effective combinations of keywords in a string whose test result is true.The method is first detect combinations that has fewer keywords.Detection of effective combination of characters based on dichotomy algorithm solves the problem finding the only effective combination of characters in a string whose test result is true.The method is always finding the rightest effective character using dichotomy algorithm.The function of character testing tree is guessing the wildcards in one regular expression.The tree could recognize seven types of wildcards perfectly.The design of payloads is critical technology in this paper.The more the design is considerate,the more rules will be found using the system.The payloads consists of four types,which are SQL Injection,XSS,LFI(Locate File Include),PHP Trojan.The system that could auto detect the WAF rules is constructed on these key technologies.It is divided into three modules by function,which are WAF Discovery Module,Payloads Sending Module,Rules Retrieval Module.The function of WAF Discovery Module is to collect the features of WAF responses for the next module.The function of Payloads Sending Module is sending payloads of different types to the website and classifying the responses.Rules Retrieval Module's function is to detect the regular expressions of WAF rules by sending changed the strings gotten from Payloads Sending Module.At last,we used the system to detect the WAF rules of ten websites.Most of them got successful detection results.