{"id":13684524,"url":"https://github.com/wallarm/gotestwaf","last_synced_at":"2025-05-14T03:11:17.711Z","repository":{"id":37712187,"uuid":"236841915","full_name":"wallarm/gotestwaf","owner":"wallarm","description":"An open-source project in Golang to asess different API Security tools and WAF for detection logic and bypasses","archived":false,"fork":false,"pushed_at":"2025-02-12T14:10:55.000Z","size":12266,"stargazers_count":1645,"open_issues_count":16,"forks_count":228,"subscribers_count":41,"default_branch":"master","last_synced_at":"2025-04-10T22:31:24.283Z","etag":null,"topics":["api-security","bugbounty","graphql-security","grpc-security","owasp","rest-security","security","security-testing","security-tools","waf","web-application-firewall","web-application-security"],"latest_commit_sha":null,"homepage":"https://lab.wallarm.com/test-your-waf-before-hackers/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wallarm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-28T21:08:21.000Z","updated_at":"2025-04-09T04:15:18.000Z","dependencies_parsed_at":"2023-02-17T16:30:30.054Z","dependency_job_id":"d48f05f6-0d48-455e-bcce-2b8f63684724","html_url":"https://github.com/wallarm/gotestwaf","commit_stats":{"total_commits":407,"total_committers":25,"mean_commits":16.28,"dds":0.3611793611793612,"last_synced_commit":"8a1958f82ba6d684f5f1e67de4a2dda365959915"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fgotestwaf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fgotestwaf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fgotestwaf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fgotestwaf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wallarm","download_url":"https://codeload.github.com/wallarm/gotestwaf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254059518,"owners_count":22007771,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-security","bugbounty","graphql-security","grpc-security","owasp","rest-security","security","security-testing","security-tools","waf","web-application-firewall","web-application-security"],"created_at":"2024-08-02T14:00:34.489Z","updated_at":"2025-05-14T03:11:12.620Z","avatar_url":"https://github.com/wallarm.png","language":"Go","funding_links":[],"categories":["Tools","Weapons","蓝队工具","Go","Awesome Tools"],"sub_categories":["Tools","WAF","Testing:"],"readme":"# GoTestWAF [![Black Hat Arsenal USA 2022](https://img.shields.io/badge/Black%20Hat%20Arsenal-USA%202022-blue)](https://www.blackhat.com/us-22/arsenal/schedule/index.html#gotestwaf---well-known-open-source-waf-tester-now-supports-api-security-hacking-27986)\n\nGoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including\nREST, GraphQL, gRPC, SOAP, XMLRPC, and others.\n\nIt was designed to evaluate web application security solutions, such as API security proxies, Web Application Firewalls,\nIPS, API gateways, and others.\n\n---\n* [How it works](#how-it-works)\n* [Requirements](#requirements)\n* [Quick start with Docker](#quick-start-with-docker)\n* [Checking evaluation results](#checking-the-evaluation-results)\n* [Demos](#demos)\n* [Other options to run GoTestWAF](#other-options-to-run-gotestwaf)\n* [Configuration options](#configuration-options)\n* [Running with OWASP Core Rule Set regression testing suite](#running-with-owasp-core-rule-set-regression-testing-suite)\n---\n\n## How it works\n\nGoTestWAF generates malicious requests using encoded payloads placed in different parts of HTTP requests: its body, headers,\nURL parameters, etc. Generated requests are sent to the application security solution URL specified during GoTestWAF launch.\nThe results of the security solution evaluation are recorded in the report file created on your machine.\n\nDefault conditions for request generation are defined in the `testcases` folder in the YAML files of the following format:\n\n```yaml\npayload:\n - '\"union select -7431.1, name, @aaa from u_base--w-'\n - \"'or 123.22=123.22\"\n - \"' waitfor delay '00:00:10'--\"\n - \"')) or pg_sleep(5)--\"\nencoder:\n - Base64Flat\n - URL\nplaceholder:\n - UrlPath\n - UrlParam\n - JSUnicode\n - Header\ntype: SQL Injection\n```\n\n* `payload` is a malicious attack sample (e.g XSS payload like ```\u003cscript\u003ealert(111)\u003c/script\u003e``` or something more sophisticated).\nSince the format of the YAML string is required for payloads, they must be [encoded as binary data](https://yaml.org/type/binary.html).\n\n* `encoder` is an encoder to be applied to the payload before placing it to the HTTP request. Possible encoders are:\n\n * Base64\n * Base64Flat\n * JSUnicode\n * URL\n * Plain (to keep the payload string as-is)\n * XML Entity\n\n* `placeholder` is a place inside HTTP request where encoded payload should be. Possible placeholders are:\n\n * gRPC\n * Header\n * UserAgent\n * RequestBody\n * JSONRequest\n * JSONBody\n * HTMLForm\n * HTMLMultipartForm\n * SOAPBody\n * XMLBody\n * URLParam\n * URLPath\n * RawRequest\n\n The `RawRequest` placeholder will allow you to do an arbitrary HTTP request. The payload is substituted by replacing the string `{{payload}}` in the URL path, Headers or body. Fields of `RawRequest` placeholder:\n\n * `method`\n * `path`\n * `headers`\n * `body`\n\n Required fields for `RawRequest` placeholder:\n \n * `method` field\n\n Example:\n \n ```yaml\n payload:\n - test\n encoder:\n - Plain\n placeholder:\n - RawRequest:\n method: \"POST\"\n path: \"/\"\n headers:\n Content-Type: \"multipart/form-data; boundary=boundary\"\n body: |\n --boundary\n Content-disposition: form-data; name=\"field1\"\n \n Test\n --boundary\n Content-disposition: form-data; name=\"field2\"\n Content-Type: text/plain; charset=utf-7\n \n Knock knock.\n {{payload}}\n --boundary--\n type: RawRequest test\n ```\n\n* `type` is a name of entire group of the payloads in file. It can be arbitrary, but should reflect the type of attacks in the file.\n\nRequest generation is a three-step process involving the multiplication of payload amount by encoder and placeholder amounts.\nLet's say you defined 2 **payloads**, 3 **encoders** (Base64, JSUnicode, and URL) and 1 **placeholder** (URLParameter - HTTP GET parameter).\nIn this case, GoTestWAF will send 2x3x1 = 6 requests in a test case.\n\nDuring GoTestWAF launch, you can also choose test cases between two embedded: OWASP Top-10, OWASP-API,\nor your own (by using the [configuration option](#configuration-options) `testCasePath`).\n\n## Requirements\n\n* GoTestwaf supports all the popular operating systems (Linux, Windows, macOS), and can be built natively\nif [Go](https://golang.org/doc/install) is installed in the system. If you want to run GoTestWaf natively,\nmake sure you have the Chrome web browser to be able to generate PDF reports. In case you don't have Chrome,\nyou can create a report in HTML format.\n* If running GoTestWAF as the Docker container, please ensure you have [installed and configured Docker](https://docs.docker.com/get-docker/),\nand GoTestWAF and evaluated application security solution are connected to the same [Docker network](https://docs.docker.com/network/).\n* For GoTestWAF to be successfully started, please ensure the IP address of the machine running GoTestWAF is whitelisted\non the machine running the application security solution.\n\n## Quick start with Docker\n\nThe steps below walk through downloading and starting GoTestWAF with minimal configuration on Docker.\n\n1. Pull the [GoTestWAF image](https://hub.docker.com/r/wallarm/gotestwaf) from Docker Hub:\n\n ```\n docker pull wallarm/gotestwaf\n ```\n\n2. Start the GoTestWAF image:\n\n ```sh\n docker run --rm --network=\"host\" -it -v ${PWD}/reports:/app/reports \\\n wallarm/gotestwaf --url=\u003cEVALUATED_SECURITY_SOLUTION_URL\u003e\n ```\n\n If required, you can replace `${PWD}/reports` with the path to another folder used to place the evaluation report.\n\n If you don't want to optionally email the report, just press Enter after the email request message appears, or you can use --noEmailReport to skip the message:\n\n ```sh\n docker run --rm --network=\"host\" -v ${PWD}/reports:/app/reports \\\n wallarm/gotestwaf --url=\u003cEVALUATED_SECURITY_SOLUTION_URL\u003e --noEmailReport\n ```\n\n If the evaluated security tool is available externally, you can skip the option `--network=\"host\"`. This option enables interaction of Docker containers running on 127.0.0.1.\n\n To perform the gRPC tests you must have a working endpoint and use the --grpcPort \u003cport\u003e cli option.\n\n ```sh\n docker run --rm --network=\"host\" -it -v ${PWD}/reports:/app/reports \\\n wallarm/gotestwaf --grpcPort 9000 --url=http://my.grpc.endpoint\n ```\n\n3. Check your email for the report.\n\nYou have successfully evaluated your application security solution by using GoTestWAF with minimal configuration.\nTo learn advanced configuration options, please use this [link](#configuration-options).\n\n## Checking the evaluation results\n\nCheck the evaluation results logged using the `STDOUT` and `STDERR` services. For example:\n\n```\nINFO[0000] GoTestWAF started version=v0.4.11-1-g8ccc316\nINFO[0000] Test cases loading started \nINFO[0000] Test cases loading finished \nINFO[0000] Test cases fingerprint fp=23c3ae919db5e6edcb62815de1a09fdf\nINFO[0000] Try to identify WAF solution \nINFO[0000] WAF was not identified \nINFO[0000] WAF pre-check url=\"http://localhost:8080\"\nINFO[0000] WAF pre-check blocked=true code=403 status=done\nINFO[0000] WebSocket pre-check status=started url=\"ws://localhost:8080\"\nINFO[0000] WebSocket pre-check connection=\"not available\" error=\"websocket: bad handshake\" status=done\nINFO[0000] gRPC pre-check status=started\nINFO[0000] gRPC pre-check connection=\"not available\" status=done\nINFO[0000] Scanning started url=\"http://localhost:8080\"\nINFO[0025] Scanning finished duration=25.043996212s \nTrue-Positive Tests:\n+-----------------------+-------------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n| TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED | SENT | FAILED |\n+-----------------------+-------------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n| community | community-128kb-rce | 0.00 | 0 | 0 | 1 | 1 | 0 |\n| community | community-128kb-sqli | 0.00 | 0 | 0 | 1 | 1 | 0 |\n| community | community-128kb-xss | 0.00 | 0 | 0 | 1 | 1 | 0 |\n| community | community-16kb-rce | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-16kb-sqli | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-16kb-xss | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-32kb-rce | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-32kb-sqli | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-32kb-xss | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-64kb-rce | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-64kb-sqli | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-64kb-xss | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-8kb-rce | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-8kb-sqli | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-8kb-xss | 100.00 | 1 | 0 | 0 | 1 | 0 |\n| community | community-lfi | 100.00 | 8 | 0 | 0 | 8 | 0 |\n| community | community-lfi-multipart | 0.00 | 0 | 0 | 9 | 9 | 0 |\n| community | community-rce | 83.33 | 10 | 2 | 0 | 12 | 0 |\n| community | community-sqli | 100.00 | 32 | 0 | 0 | 32 | 0 |\n| community | community-user-agent | 70.00 | 7 | 3 | 0 | 10 | 0 |\n| community | community-xss | 95.80 | 502 | 22 | 0 | 524 | 0 |\n| community | community-xxe | 0.00 | 0 | 2 | 0 | 2 | 0 |\n| owasp | crlf | 77.78 | 7 | 2 | 0 | 9 | 0 |\n| owasp | ldap-injection | 3.13 | 2 | 62 | 0 | 64 | 0 |\n| owasp | mail-injection | 12.50 | 3 | 21 | 0 | 24 | 0 |\n| owasp | nosql-injection | 0.00 | 0 | 70 | 0 | 70 | 0 |\n| owasp | path-traversal | 24.77 | 27 | 82 | 1 | 110 | 0 |\n| owasp | rce | 33.33 | 22 | 44 | 0 | 66 | 0 |\n| owasp | rce-urlparam | 33.33 | 3 | 6 | 0 | 9 | 0 |\n| owasp | shell-injection | 27.08 | 13 | 35 | 0 | 48 | 0 |\n| owasp | sql-injection | 24.36 | 38 | 118 | 0 | 156 | 0 |\n| owasp | ss-include | 37.50 | 15 | 25 | 0 | 40 | 0 |\n| owasp | sst-injection | 18.75 | 12 | 52 | 0 | 64 | 0 |\n| owasp | xml-injection | 0.00 | 0 | 12 | 1 | 13 | 0 |\n| owasp | xss-scripting | 33.20 | 167 | 336 | 1 | 504 | 0 |\n| owasp-api | graphql | 0.00 | 0 | 6 | 0 | 6 | 0 |\n| owasp-api | graphql-post | 50.00 | 2 | 2 | 0 | 4 | 0 |\n| owasp-api | grpc | 0.00 | 0 | 0 | 0 | 0 | 0 |\n| owasp-api | non-crud | 100.00 | 2 | 0 | 0 | 2 | 0 |\n| owasp-api | rest | 23.08 | 3 | 10 | 0 | 13 | 0 |\n| owasp-api | soap | 23.08 | 3 | 10 | 0 | 13 | 0 |\n+-----------------------+-------------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n| DATE: | PROJECT NAME: | TRUE-POSITIVE SCORE: | BLOCKED (RESOLVED): | BYPASSED (RESOLVED): | UNRESOLVED (SENT): | TOTAL SENT: | FAILED (TOTAL): |\n| 2024-02-08 | GENERIC | 49.12% | 890/1812 (49.12%) | 922/1812 (50.88%) | 15/1827 (0.82%) | 1827 | 0/1827 (0.00%) |\n+-----------------------+-------------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n\nTrue-Negative Tests:\n+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n| TEST SET | TEST CASE | PERCENTAGE, % | BLOCKED | BYPASSED | UNRESOLVED | SENT | FAILED |\n+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n| false-pos | texts | 85.65 | 31 | 185 | 0 | 216 | 0 |\n+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n| DATE: | PROJECT NAME: | TRUE-NEGATIVE SCORE: | BLOCKED (RESOLVED): | BYPASSED (RESOLVED): | UNRESOLVED (SENT): | TOTAL SENT: | FAILED (TOTAL): |\n| 2024-02-08 | GENERIC | 85.65% | 31/216 (14.35%) | 185/216 (85.65%) | 0/216 (0.00%) | 216 | 0/216 (0.00%) |\n+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+\n\nSummary:\n+-----------------------------+-----------------------------+-----------------------------+-----------------------------+\n| TYPE | TRUE-POSITIVE TESTS BLOCKED | TRUE-NEGATIVE TESTS PASSED | AVERAGE |\n+-----------------------------+-----------------------------+-----------------------------+-----------------------------+\n| API Security | 26.32% | n/a | 26.32% |\n| Application Security | 49.61% | 85.65% | 67.63% |\n+-----------------------------+-----------------------------+-----------------------------+-----------------------------+\n| SCORE | 46.97% |\n+-----------------------------+-----------------------------+-----------------------------+-----------------------------+\n```\n\nThe report file `waf-evaluation-report-\u003cdate\u003e.pdf` is available in the `reports` folder of the user directory. You can also specify the directory to save the reports with the `reportPath` parameter and the name of the report file with the `reportName` parameter. To learn advanced configuration options, please use this [link](#configuration-options).\n\nYou can found an example of PDF report [here](./docs/report_example.pdf).\n\n![Example of GoTestWaf report](./docs/report_preview.png)\n\n## Demos\n\nYou can try GoTestWAF by running the demo environment that deploys NGINX‑based [ModSecurity using OWASP Core Rule Set](https://hub.docker.com/r/owasp/modsecurity-crs)\nand GoTestWAF evaluating ModSecurity on Docker.\n\nTo run the demo environment:\n\n1. Clone this repository and go to the cloned directory:\n\n ```sh\n git clone https://github.com/wallarm/gotestwaf.git\n cd gotestwaf\n ```\n\n2. Start ModSecurity from the [Docker image](https://hub.docker.com/r/owasp/modsecurity-crs/) by using the following `make` command:\n\n ```sh\n make modsec\n ```\n\n Settings for running the ModSecurity Docker container are defined in the rule `modsec` of the cloned Makefile. It runs the ModSecurity Docker container on port 8080 with minimal configuration defined in the cloned file `./resources/default.conf.template` and the `PARANOIA` value set to 1.\n\n If required, you can change these settings by editing the rule `modsec` in the cloned Makefile. Available options for ModSecurity configuration are described on [Docker Hub](https://hub.docker.com/r/owasp/modsecurity-crs/).\n\n To stop ModSecurity containers use the following command:\n\n ```sh\n make modsec_down\n ```\n\n3. Start GoTestWAF with minimal configuration by using one of the following methods:\n\n Start the [Docker image](https://hub.docker.com/r/wallarm/gotestwaf) by using the following `docker pull` and `docker run` commands:\n\n ```sh\n docker pull wallarm/gotestwaf\n docker run --rm --network=\"host\" -v ${PWD}/reports:/app/reports \\\n wallarm/gotestwaf --url=http://127.0.0.1:8080 --noEmailReport\n ```\n\n Build the GoTestWAF Docker image from the [Dockerfile](./Dockerfile) and run the\n image by using the following `make` commands (make sure ModSec is running on port 8080; if not, update the port value in the Makefile):\n\n ```sh\n make gotestwaf\n make scan_local_from_docker\n ```\n\n Start GoTestWAF natively with go by using the following `make` command:\n (make sure ModSec is running on port 8080; if not, update the port value in the Makefile):\n\n ```sh\n make scan_local\n ```\n\n4. Find the [report](#checking-the-evaluation-results) file `waf-evaluation-report-\u003cdate\u003e.pdf` in\nthe `reports` folder that you mapped to `/app/reports` inside the container.\n\n## Other options to run GoTestWAF\n\nIn addition to running the GoTestWAF Docker image downloaded from Docker Hub, you can run GoTestWAF by using the following options:\n\n* Clone this repository and build the GoTestWAF Docker image from the [Dockerfile](./Dockerfile), for example:\n\n ```sh\n git clone https://github.com/wallarm/gotestwaf.git\n cd gotestwaf\n DOCKER_BUILDKIT=1 docker build --force-rm -t gotestwaf .\n docker run --rm --network=\"host\" -it -v ${PWD}/reports:/app/reports \\\n gotestwaf --url=\u003cEVALUATED_SECURITY_SOLUTION_URL\u003e\n ```\n\n If the evaluated security tool is available externally, you can skip the option `--network=\"host\"`. This option enables interaction of Docker containers running on 127.0.0.1.\n\n* Clone this repository and run GoTestWAF with [`go`](https://golang.org/doc/), for example:\n\n ```sh\n git clone https://github.com/wallarm/gotestwaf.git\n cd gotestwaf\n go run ./cmd --url=\u003cEVALUATED_SECURITY_SOLUTION_URL\u003e\n ```\n\n* Clone this repository and build GoTestWAF as the Go module:\n\n ```sh\n git clone https://github.com/wallarm/gotestwaf.git\n cd gotestwaf\n go build -mod vendor -o gotestwaf ./cmd\n ```\n\nSupported GoTestWAF configuration options are described below.\n\n## Configuration options\n\n```\nUsage: ./gotestwaf [OPTIONS] --url \u003cURL\u003e\n\nOptions:\n --addDebugHeader Add header with a hash of the test information in each request\n --addHeader string An HTTP header to add to requests\n --blockConnReset If present, connection resets will be considered as block\n --blockRegex string Regex to detect a blocking page with the same HTTP response status code as a not blocked request\n --blockStatusCodes ints HTTP status code that WAF uses while blocking requests (default [403])\n --configPath string Path to the config file (default \"config.yaml\")\n --email string E-mail to which the report will be sent\n --followCookies If present, use cookies sent by the server. May work only with --maxIdleConns=1 (gohttp only)\n --graphqlURL string GraphQL URL to check\n --grpcPort uint16 gRPC port to check\n --hideArgsInReport If present, GoTestWAF CLI arguments will not be displayed in the report\n --httpClient string Which HTTP client use to send requests: gohttp, chrome (default \"gohttp\")\n --idleConnTimeout int The maximum amount of time a keep-alive connection will live (gohttp only) (default 2)\n --ignoreUnresolved If present, unresolved test cases will be considered as bypassed (affect score and results)\n --includePayloads If present, payloads will be included in HTML/PDF report\n --logFormat string Set logging format: text, json (default \"text\")\n --logLevel string Logging level: panic, fatal, error, warn, info, debug, trace (default \"info\")\n --maxIdleConns int The maximum number of keep-alive connections (gohttp only) (default 2)\n --maxRedirects int The maximum number of handling redirects (gohttp only) (default 50)\n --noEmailReport Save report locally\n --nonBlockedAsPassed If present, count requests that weren't blocked as passed. If false, requests that don't satisfy to PassStatusCodes/PassRegExp as blocked\n --openapiFile string Path to openAPI file\n --passRegex string Regex to a detect normal (not blocked) web page with the same HTTP status code as a blocked request\n --passStatusCodes ints HTTP response status code that WAF uses while passing requests (default [200,404])\n --proxy string Proxy URL to use\n --quiet If present, disable verbose logging\n --randomDelay int Random delay in ms in addition to the delay between requests (default 400)\n --renewSession Renew cookies before each test. Should be used with --followCookies flag (gohttp only)\n --reportFormat strings Export report in the following formats: json, html, pdf, none (default [pdf])\n --reportName string Report file name. Supports `time' package template format (default \"waf-evaluation-report-2006-January-02-15-04-05\")\n --reportPath string A directory to store reports (default \"reports\")\n --sendDelay int Delay in ms between requests (default 400)\n --skipWAFBlockCheck If present, WAF detection tests will be skipped\n --skipWAFIdentification Skip WAF identification\n --testCase string If set then only this test case will be run\n --testCasesPath string Path to a folder with test cases (default \"testcases\")\n --testSet string If set then only this test set's cases will be run\n --tlsVerify If present, the received TLS certificate will be verified\n --url string URL to check\n --version Show GoTestWAF version and exit\n --wafName string Name of the WAF product (default \"generic\")\n --workers int The number of workers to scan (default 5)\n```\n\nGoTestWAF supports two HTTP clients for performing requests, selectable via the `--httpClient` option. The default client is the standard Golang HTTP client. The second option is Chrome, which can be used with the `--httpClient=chrome` CLI argument. Note that on Linux systems, you must add the `--cap-add=SYS_ADMIN` argument to the Docker arguments to run GoTestWAF with Chrome as the request performer.\n\n### Report name\n\nWith the `reportName` option you can set your own filename for GoTestWAF reports. This option supports golang's `time` package for timestamps. Details can be found [there](https://pkg.go.dev/time#pkg-constants). You can use following placeholders to add timestamp to your report name:\n\n* Year: `2006`, `06`\n* Month: `Jan`, `January`\n* Textual day of the week: `Mon`, `Monday`\n* Numeric day of the month: `2`, `_2`, `02`\n* Numeric day of the year: `__2`, `002`\n* Hour: `15`, `3`, `03` (PM or AM)\n* Minute: `4`, `04`\n* Second: `5`, `05`\n* AM/PM mark: `PM`\n* Numeric zones: `Z0700` = Z or ±hhmm, `Z07:00` = Z or ±hh:mm, `Z07` = Z or ±hh\n\nFor example, default `reportName` is `waf-evaluation-report-2006-January-02-15-04-05`, where `2006` will be replaced with actual year, `January` - month, `02` - day, `15` - hour, `04` - minute and `05` - second.\n\n\n### Scan based on OpenAPI file\n\nFor better scanning, GTW supports sending malicious vectors through valid application requests. Instead of constructing requests that are simple in structure and send them to the URL specified at startup, GoTestWAF creates valid requests based on the application's API description in the OpenAPI 3.0 format.\n\nHow it works:\n\n1. GoTestWAF loads an OpenAPI file and constructs request templates. All templates are then divided into groups based on what placeholders they support (e.g., if there is a string parameter in the request path, then such a request will be assigned to a group of requests that support URLPath placeholder)\n\n2. The next malicious vector is selected from the queue for sending. Based on the placeholder specified for it, all query templates are selected into which this vector can be substituted. Next, the vector is substituted into template and the request is sent.\n\n3. Based on the possible responses specified in the OpenAPI file, it is determined whether the request was blocked by WAF or passed to the application. If the status of the response code and its scheme match those described in the OpenAPI file, the request is marked as bypassed. Otherwise, it will be marked as blocked. It is possible that the application only responds with a status code, and this status code matches the response from the WAF. In this case, the request will be marked as unresolved.\n\nSome supported OpenAPI features:\n\n* numeric and string parameters in headers, paths, query parameters and body of requests;\n\n* the following content-types are supported for the request body: `application/json`, `application/xml`, `application/x-www-form-urlencoded`, `text/plain`;\n\n* the following modifiers are supported for XML: `name`, `wrapped`, `attribute`, `prefix`, `namespace`;\n\n* length limits for strings are supported through the `minLength` and `maxLength` parameters;\n\n* value restrictions for numbers are supported through `minimum`, `maximum`, `exclusiveMinimum` and `exclusiveMaximum`;\n\n* restrictions on the length of arrays through `minItems` and `maxItems` are supported;\n\n* combination of schemes via `oneOf`, `anyOf`, `allOf` is supported.\n\nBased on the described principle of operation, it is extremely important that the OpenAPI file correctly represents the implemented application API. Therefore, for example, you cannot use `default` to describe possible responses to queries.\n\nNote: You need to forward volume with openapi spec to GoTestWAF container. \n\n```sh\n-v ${PWD}/api.yaml:/app/api.yaml\n```\n\nComplete Docker Example:\n\n```sh\ndocker run --rm --network=\"host\" -it -v ${PWD}/reports:/app/reports -v ${PWD}/api.yaml:/app/api.yaml wallarm/gotestwaf --wafName your_waf_name --url=https://example.com/v1 --openapiFile api.yaml\n```\n\n## Running with OWASP Core Rule Set regression testing suite\n\nGoTestWAF allows easy integration of additional test suites.\n\nIn this example, we will demonstrate how to add tests from the OWASP Core Rule Set regression testing suite.\n\nSince the tests are written in a different format than the GoTestWAF format, a conversion is required. For this purpose, the script **misc/modsec_regression_testset_converter.rb** is provided.\n\nTo convert the tests, run `make modsec_crs_regression_tests_convert`.\nThen, build a container with the updated set of tests.\n`make gotestwaf`\n\nNote that by default, tests are converted for only a subset of rules. The following categories have been chosen:\n\n- REQUEST-932-APPLICATION-ATTACK-RCE\n- REQUEST-933-APPLICATION-ATTACK-PHP\n- REQUEST-941-APPLICATION-ATTACK-XSS\n- REQUEST-930-APPLICATION-ATTACK-LFI\n- REQUEST-931-APPLICATION-ATTACK-RFI\n- REQUEST-942-APPLICATION-ATTACK-SQLI\n- REQUEST-944-APPLICATION-ATTACK-JAVA\n- REQUEST-934-APPLICATION-ATTACK-GENERIC\n- REQUEST-913-SCANNER-DETECTION\n\nIf needed, modify the variable \"crs_testcases\" in misc/modsec_regression_testset_converter.rb to add or remove test categories.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwallarm%2Fgotestwaf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwallarm%2Fgotestwaf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwallarm%2Fgotestwaf/lists"}