Yeah, I guess the way I would envision it going would be:

1) web app scanner sees XSS vuln on /path/to/foo.php
2) my integration ties that web app scan into a format to pass to WAF
3) WAF sets up anti-xss rules on /path/to/foo.php (we had to actually create a static mapping for this step)
4) measure how many hits the waf blocks to that endpoint for the XSS 

John





On Mon, Jul 13, 2020 at 10:46 AM Rafal Los <Rafal@ishackingyou.com> wrote:

*** CAUTION: This email was sent from an EXTERNAL source. Think before clicking links or opening attachments. ***


John,

Can you expand on #2? How do you measure the number of attacks stifled?

 

_--
Rafal
_Mobile: (404) 606-6056
_Email: Rafal.Los@Seventy7.Consulting

 

 

From: John Lampe via Dailydave <dailydave@lists.aitelfoundation.org>
Reply-To: John Lampe <jlampe@tenable.com>
Date: Saturday, July 11, 2020 at 9:52 PM
To: Dave Aitel <dave.aitel@gmail.com>
Cc: "dailydave@lists.aitelfoundation.org" <dailydave@lists.aitelfoundation.org>
Subject: [Dailydave] Re: [EXTERNAL] WAF Metrics

 

So, I recently did an integration for a company that took their web app scanner results and mapped those to existing WAF rules. I can think of 2 metrics based off that

 

1) How many real-world vulns have a corresponding check in the WAF? and

2) Once the WAF rules have been put in place to protect actually-vulnerable endpoints, how many attacks were actually stifled?

 

John

 

 

On Sat, Jul 11, 2020 at 12:51 PM Dave Aitel via Dailydave <dailydave@lists.aitelfoundation.org> wrote:

*** CAUTION: This email was sent from an EXTERNAL source. Think before clicking links or opening attachments. ***

 

So I'm making a video on metrics, of all things, and I wanted to post both this question and the best answer so far to the list to see if anyone had any other ideas or followups.

 

-dave

 

 

 

_______________________________________________
Dailydave mailing list -- dailydave@lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org