@waftester/cli 2.8.0

package/templates/overrides/crs-tuning.yaml

@@ -0,0 +1,204 @@
+# WAFtester CRS Tuning Override Configuration
+# Fine-tunes scanning for environments running ModSecurity with OWASP CRS
+# Adjusts payloads and expectations based on CRS paranoia levels
+
+overrides:
+  - id: crs-pl1-baseline
+    description: "Adjust expectations for CRS Paranoia Level 1 (baseline rules)"
+    match:
+      waf: "modsecurity"
+      paranoia_level: 1
+    action:
+      expected_block_rate: 60.0
+      skip_tags:
+        - "evasion-advanced"
+        - "encoding-multi"
+        - "unicode-bypass"
+    enabled: true
+    priority: 100
+
+  - id: crs-pl2-standard
+    description: "Adjust expectations for CRS Paranoia Level 2 (additional rules)"
+    match:
+      waf: "modsecurity"
+      paranoia_level: 2
+    action:
+      expected_block_rate: 80.0
+      skip_tags:
+        - "evasion-exotic"
+    enabled: true
+    priority: 100
+
+  - id: crs-pl3-strict
+    description: "Adjust expectations for CRS Paranoia Level 3 (more rules, more FPs)"
+    match:
+      waf: "modsecurity"
+      paranoia_level: 3
+    action:
+      expected_block_rate: 92.0
+      false_positive_tolerance: 8.0
+    enabled: true
+    priority: 100
+
+  - id: crs-pl4-paranoid
+    description: "Adjust expectations for CRS Paranoia Level 4 (maximum protection)"
+    match:
+      waf: "modsecurity"
+      paranoia_level: 4
+    action:
+      expected_block_rate: 98.0
+      false_positive_tolerance: 15.0
+    enabled: true
+    priority: 100
+
+  - id: crs-sqli-rules
+    description: "Tune SQLi testing for CRS rule IDs 942xxx"
+    match:
+      waf: "modsecurity"
+      category: "sqli"
+    action:
+      expect_rule_ids:
+        - "942100"
+        - "942110"
+        - "942120"
+        - "942130"
+        - "942140"
+        - "942150"
+        - "942160"
+        - "942170"
+        - "942180"
+        - "942190"
+        - "942200"
+        - "942210"
+        - "942220"
+        - "942230"
+        - "942240"
+        - "942250"
+        - "942260"
+        - "942270"
+        - "942280"
+        - "942290"
+        - "942300"
+        - "942310"
+        - "942320"
+        - "942330"
+        - "942340"
+        - "942350"
+        - "942360"
+        - "942370"
+        - "942380"
+        - "942390"
+        - "942400"
+        - "942410"
+        - "942420"
+        - "942430"
+        - "942440"
+        - "942450"
+        - "942460"
+        - "942470"
+        - "942480"
+        - "942490"
+        - "942500"
+        - "942510"
+      match_header: "x-modsecurity-rule-id"
+    enabled: true
+    priority: 80
+
+  - id: crs-xss-rules
+    description: "Tune XSS testing for CRS rule IDs 941xxx"
+    match:
+      waf: "modsecurity"
+      category: "xss"
+    action:
+      expect_rule_ids:
+        - "941100"
+        - "941110"
+        - "941120"
+        - "941130"
+        - "941140"
+        - "941150"
+        - "941160"
+        - "941170"
+        - "941180"
+        - "941190"
+        - "941200"
+        - "941210"
+        - "941220"
+        - "941230"
+        - "941240"
+        - "941250"
+        - "941260"
+        - "941270"
+        - "941280"
+        - "941290"
+        - "941300"
+        - "941310"
+        - "941320"
+        - "941330"
+        - "941340"
+        - "941350"
+        - "941360"
+        - "941370"
+        - "941380"
+      match_header: "x-modsecurity-rule-id"
+    enabled: true
+    priority: 80
+
+  - id: crs-rce-rules
+    description: "Tune RCE testing for CRS rule IDs 932xxx"
+    match:
+      waf: "modsecurity"
+      category: "rce"
+    action:
+      expect_rule_ids:
+        - "932100"
+        - "932105"
+        - "932110"
+        - "932115"
+        - "932120"
+        - "932130"
+        - "932140"
+        - "932150"
+        - "932160"
+        - "932170"
+        - "932171"
+        - "932180"
+        - "932190"
+        - "932200"
+      match_header: "x-modsecurity-rule-id"
+    enabled: true
+    priority: 80
+
+  - id: crs-anomaly-scoring
+    description: "Account for CRS anomaly scoring mode vs traditional mode"
+    match:
+      waf: "modsecurity"
+    action:
+      anomaly_threshold: 5
+      check_anomaly_score: true
+      anomaly_header: "x-modsecurity-anomaly-score"
+    enabled: true
+    priority: 70
+
+  - id: crs-block-indicators
+    description: "Recognize CRS-specific block response patterns"
+    match:
+      waf: "modsecurity"
+    action:
+      block_indicators:
+        status_codes:
+          - 403
+          - 406
+          - 418
+          - 429
+          - 503
+        body_patterns:
+          - "ModSecurity"
+          - "Access Denied"
+          - "Not Acceptable"
+          - "SecRule"
+        headers:
+          - "mod_security"
+          - "OWASP_CRS"
+    enabled: true
+    priority: 60

package/templates/overrides/false-positive-suppression.yaml

@@ -0,0 +1,159 @@
+# WAFtester False Positive Suppression Override Configuration
+# Rules to suppress known false positives and reduce noise in scan results
+# Use this to tune results after initial baseline assessment
+
+overrides:
+  - id: suppress-static-assets
+    description: "Skip testing on static asset paths (CSS, JS, images, fonts)"
+    match:
+      path: "\\.(css|js|png|jpg|jpeg|gif|svg|ico|woff2?|ttf|eot|map)$"
+    action:
+      skip: true
+    enabled: true
+    priority: 100
+
+  - id: suppress-favicon
+    description: "Skip favicon.ico — most WAFs do not inspect this"
+    match:
+      path: "/favicon\\.ico$"
+    action:
+      skip: true
+    enabled: true
+    priority: 100
+
+  - id: suppress-robots-txt
+    description: "Skip robots.txt probing — not an attack surface"
+    match:
+      path: "/robots\\.txt$"
+    action:
+      skip: true
+    enabled: true
+    priority: 100
+
+  - id: suppress-healthcheck
+    description: "Skip health check and status endpoints"
+    match:
+      path: "/(health|healthz|health-check|status|ping|readyz|livez|ready|alive)$"
+    action:
+      skip: true
+    enabled: true
+    priority: 95
+
+  - id: suppress-metrics
+    description: "Skip metrics and monitoring endpoints"
+    match:
+      path: "/(metrics|prometheus|_monitoring|debug/vars|debug/pprof)$"
+    action:
+      skip: true
+    enabled: true
+    priority: 95
+
+  - id: suppress-common-fp-sqli
+    description: "Suppress SQLi false positives from natural language with SQL-like words"
+    match:
+      category: "sqli"
+      false_positive_indicators:
+        - body_contains: "select your"
+        - body_contains: "union of"
+        - body_contains: "drop us a line"
+        - body_contains: "order now"
+        - body_contains: "insert your"
+        - body_contains: "update your"
+        - body_contains: "delete your account"
+        - body_contains: "from our"
+        - body_contains: "where we"
+    action:
+      mark_false_positive: true
+      confidence_reduction: 0.5
+    enabled: true
+    priority: 80
+
+  - id: suppress-common-fp-xss
+    description: "Suppress XSS false positives from legitimate HTML-like content"
+    match:
+      category: "xss"
+      false_positive_indicators:
+        - body_contains: "<script src="
+        - body_contains: "onclick="
+        - body_contains: "onload="
+        - header_contains: "text/html"
+    action:
+      mark_false_positive: true
+      confidence_reduction: 0.3
+    enabled: true
+    priority: 80
+
+  - id: suppress-404-as-block
+    description: "Do not count 404 Not Found as WAF blocking unless confirmed"
+    match:
+      response_code: 404
+    action:
+      reclassify: "not_found"
+      block_confidence: 0.1
+    enabled: true
+    priority: 75
+
+  - id: suppress-redirect-as-block
+    description: "Do not count 301/302 redirects as WAF blocking"
+    match:
+      response_code:
+        - 301
+        - 302
+        - 307
+        - 308
+    action:
+      reclassify: "redirect"
+      block_confidence: 0.05
+    enabled: true
+    priority: 75
+
+  - id: suppress-rate-limit-as-block
+    description: "Distinguish rate limiting (429) from WAF blocking"
+    match:
+      response_code: 429
+    action:
+      reclassify: "rate_limited"
+      block_confidence: 0.3
+    enabled: true
+    priority: 70
+
+  - id: suppress-cdn-errors
+    description: "Filter out CDN-level errors that are not WAF blocks"
+    match:
+      response_code:
+        - 502
+        - 504
+      body_patterns:
+        - "Bad Gateway"
+        - "Gateway Timeout"
+        - "upstream connect error"
+    action:
+      reclassify: "infrastructure_error"
+      block_confidence: 0.0
+    enabled: true
+    priority: 70
+
+  - id: suppress-captcha-soft-block
+    description: "Treat CAPTCHA challenges as soft blocks, not hard blocks"
+    match:
+      body_patterns:
+        - "captcha"
+        - "recaptcha"
+        - "hCaptcha"
+        - "challenge-platform"
+        - "turnstile"
+    action:
+      reclassify: "captcha_challenge"
+      block_confidence: 0.7
+    enabled: true
+    priority: 65
+
+  - id: suppress-timeout-false-positive
+    description: "Do not count request timeouts as bypasses"
+    match:
+      timeout: true
+    action:
+      reclassify: "timeout"
+      bypass_confidence: 0.0
+    enabled: true
+    priority: 90

package/templates/policies/owasp-top10.yaml

@@ -0,0 +1,152 @@
+# WAFtester OWASP Top 10 Policy
+# Maps directly to OWASP Top 10 2021 categories
+# Ensures WAF coverage for each OWASP category
+
+name: owasp-top10
+description: "OWASP Top 10 (2021) compliance policy — validates WAF coverage for all ten risk categories"
+version: "2.0.0"
+
+severity_threshold: medium
+
+owasp_mapping:
+  A01_Broken_Access_Control:
+    scan_types:
+      - idor
+      - cors
+      - open-redirect
+      - path-traversal
+      - csrf
+      - forced-browsing
+      - privilege-escalation
+    effectiveness_below: 85.0
+
+  A02_Cryptographic_Failures:
+    scan_types:
+      - sensitive-data
+      - tls
+      - insecure-cookies
+      - cleartext-credentials
+    effectiveness_below: 80.0
+
+  A03_Injection:
+    scan_types:
+      - sqli
+      - nosqli
+      - cmdi
+      - ldap
+      - xpath
+      - ssti
+      - crlf
+      - hpp
+      - xss
+      - xxe
+    effectiveness_below: 90.0
+
+  A04_Insecure_Design:
+    scan_types:
+      - bizlogic
+      - race-condition
+      - mass-assignment
+      - api-abuse
+    effectiveness_below: 70.0
+
+  A05_Security_Misconfiguration:
+    scan_types:
+      - misconfig
+      - default-creds
+      - directory-listing
+      - verbose-errors
+      - unnecessary-features
+    effectiveness_below: 80.0
+
+  A06_Vulnerable_Components:
+    scan_types:
+      - cve
+      - outdated-software
+      - known-exploit
+    effectiveness_below: 75.0
+
+  A07_Auth_Failures:
+    scan_types:
+      - broken-auth
+      - brute-force
+      - credential-stuffing
+      - session-fixation
+      - jwt
+      - oauth
+    effectiveness_below: 85.0
+
+  A08_Software_Data_Integrity:
+    scan_types:
+      - deserialization
+      - upload
+      - ci-cd
+    effectiveness_below: 85.0
+
+  A09_Logging_Monitoring:
+    scan_types:
+      - log-injection
+      - monitoring-bypass
+    effectiveness_below: 60.0
+
+  A10_SSRF:
+    scan_types:
+      - ssrf
+      - dns-rebinding
+      - cloud-metadata
+    effectiveness_below: 90.0
+
+fail_on:
+  bypasses:
+    - sqli
+    - xss
+    - rce
+    - ssrf
+    - lfi
+    - rfi
+    - ssti
+    - xxe
+    - cmdi
+    - deserialization
+    - nosqli
+    - crlf
+    - ldap
+    - xpath
+    - upload
+    - idor
+    - cors
+    - csrf
+    - broken-auth
+    - jwt
+    - oauth
+
+  categories:
+    - injection
+    - broken-auth
+    - sensitive-data
+    - xxe
+    - broken-access
+    - misconfig
+    - xss
+    - deserialization
+    - components
+    - logging
+    - ssrf
+
+  effectiveness_below: 80.0
+
+  error_rate_above: 5.0
+
+  false_positive_rate_above: 5.0
+
+  min_tests_required: 30
+
+  max_response_time_ms: 15000
+
+  require_waf_detected: false
+
+ignore:
+  ids: []
+  tags:
+    - informational
+  severity_below: low

package/templates/policies/pci-dss.yaml

@@ -0,0 +1,124 @@
+# WAFtester PCI DSS Policy
+# Aligned with PCI DSS v4.0 requirements for web application firewalls
+# Requirement 6.4.2: Automated technical solution for public-facing web applications
+
+name: pci-dss
+description: "PCI DSS v4.0 compliance policy — validates WAF protection for cardholder data environments"
+version: "2.0.0"
+
+severity_threshold: medium
+
+compliance:
+  framework: "PCI DSS"
+  version: "4.0"
+  requirements:
+    - id: "6.4.1"
+      description: "Public-facing web applications are protected against attacks"
+    - id: "6.4.2"
+      description: "Automated technical solution that detects and prevents web-based attacks"
+    - id: "6.2.4"
+      description: "Software engineering techniques prevent injection attacks"
+    - id: "11.6.1"
+      description: "Unauthorized changes to HTTP headers and payment page content are detected"
+
+pci_controls:
+  injection_protection:
+    description: "Req 6.2.4 — Prevent common injection attacks"
+    scan_types:
+      - sqli
+      - nosqli
+      - xss
+      - cmdi
+      - ldap
+      - xpath
+      - ssti
+      - xxe
+    effectiveness_below: 90.0
+
+  authentication_protection:
+    description: "Req 8 — Identify and authenticate access"
+    scan_types:
+      - broken-auth
+      - brute-force
+      - credential-stuffing
+      - session-fixation
+      - jwt
+    effectiveness_below: 90.0
+
+  data_protection:
+    description: "Req 3+4 — Protect stored and transmitted data"
+    scan_types:
+      - sensitive-data
+      - lfi
+      - ssrf
+      - tls
+    effectiveness_below: 85.0
+
+  access_control:
+    description: "Req 7 — Restrict access by business need-to-know"
+    scan_types:
+      - idor
+      - cors
+      - csrf
+      - path-traversal
+    effectiveness_below: 85.0
+
+  change_detection:
+    description: "Req 11.6.1 — Detect unauthorized content/header changes"
+    scan_types:
+      - crlf
+      - host-header
+      - cache-poisoning
+      - request-smuggling
+    effectiveness_below: 85.0
+
+fail_on:
+  bypasses:
+    - sqli
+    - xss
+    - rce
+    - ssrf
+    - lfi
+    - rfi
+    - ssti
+    - xxe
+    - cmdi
+    - deserialization
+    - nosqli
+    - crlf
+    - ldap
+    - xpath
+    - upload
+    - broken-auth
+    - session-fixation
+    - idor
+    - request-smuggling
+
+  categories:
+    - injection
+    - broken-auth
+    - sensitive-data
+    - xxe
+    - broken-access
+    - xss
+    - deserialization
+    - ssrf
+
+  effectiveness_below: 85.0
+
+  error_rate_above: 3.0
+
+  false_positive_rate_above: 3.0
+
+  min_tests_required: 40
+
+  max_response_time_ms: 10000
+
+  require_waf_detected: true
+
+ignore:
+  ids: []
+  tags:
+    - informational
+    - recon
+  severity_below: low

package/templates/policies/permissive.yaml

@@ -0,0 +1,40 @@
+# WAFtester Permissive Security Policy
+# Relaxed policy for development and initial WAF tuning
+# Only fails on critical, actively exploitable bypasses
+
+name: permissive
+description: "Relaxed development policy — only fails on critical, actively exploitable WAF bypasses"
+version: "2.0.0"
+
+severity_threshold: high
+
+fail_on:
+  bypasses:
+    - sqli
+    - rce
+    - deserialization
+    - request-smuggling
+
+  categories:
+    - injection
+
+  effectiveness_below: 50.0
+
+  error_rate_above: 15.0
+
+  false_positive_rate_above: 10.0
+
+  min_tests_required: 5
+
+  max_response_time_ms: 30000
+
+  require_waf_detected: false
+
+ignore:
+  ids: []
+  tags:
+    - informational
+    - recon
+    - evasion
+    - low-confidence
+  severity_below: medium