Re: [Mod-security-developers] mod_security test suite

[Christian F. <chr...@ti...>]

Kurt,

On Thu, Oct 01, 2015 at 08:52:48AM -0600, Kurt Seifried wrote:
> Sorry I should have been more explicit, my concern is integration testing
> more, e.g. we have a layered product sitting on top of Red Hat Enterprise
> Linux (e.g. Satellite Server, CloudForms, OpenStack, whatever), if I put
> mod_security in front of it I need to test that the whole stack works
> together, obviously one aspect of that is "Real world" testing, but in
> order to avoid false negatives (e.g. a test passes, but maybe mod_security
> didn't block it properly and some nasty data managed to get through to the
> backend) I need some simple ways to ensure I can test for false negatives
> and false positives

Through the years I used various approaches to achieve this. In the
end I returned to a self-written testsuite that uses ruby unit-testing
to fire requests at Apache/ModSec and expects certain responses.

I use this to test anything from simple requests to multi-step logins 
(expecting a session cookie at the end of the process); legitimate
requests and expected blockings.

Whenever, I write custom rules for the service I add more test
requests. Those that should pass, and those that should be blocked.

When a pen-test finds a weakness and we need to block an exploit in
ModSecurity, the exact vector of the pen-test is added to the
test suite. This makes sure the virtual patch is not disappearing
in a future release of the service.

I am not sure how I would scale this for a larger installation,
but for small standalone services, it works nicely, and I can
give my customers a ring, if their service suddenly reintroduces
old bugs.

Just my 2 cents.

Ahoj,

Christian


-- 
I have always observed that to succeed in the world one should appear
like a fool but be wise.
-- Charles de Montesquieu