Web Application Firewall (WAF) Testing

activereach’s Web Application Firewall (WAF) testing service challenges your security resilience to the OWASP Top 10 – the Open Web Application Security Project’s most critical application security risks – and more.

Why test your WAF?

Web applications, including consumer-facing applications and enterprise apps, play a vital role in day-to-day business operations. Web apps have grown from just a few business applications to a multitude of backend web apps, SaaS apps and other cloud-delivered solutions.

Many web apps process sensitive data such as user, PII and financial information, which means they are frequently targeted by cybercriminals. As web apps become increasingly complex, the range of exploitable vulnerabilities is rising. Furthermore, the number and diversity of threats continues to increase, from advanced malware to web-specific application-layer attacks, as well as distributed denial of service (DDoS) attacks.

Organizations rely on WAF technology for protecting their web apps. These days, it is very easy for cybercriminals to locate all manner of automated application attack tools online. A notorious example is the infamous Equifax breach that was caused by an application vulnerability (Apache Struts) in one of its websites – affecting the PII of over 140 million consumers.


By using the same techniques utilised by genuine attackers, our WAF testing services help to identify vulnerabilities including:

  • Injection flaws
  • Authentication weaknesses
  • Poor session management
  • Broken access controls
  • Security misconfigurations
  • Database interaction errors
  • Input validation problems
  • Flaws in application logic


The activeDEFENCE WAF Testing platform utilises a globally managed legitimate botnet that is capable of generating an extensive range of attack types. These can range from Layer 7 application attacks to large multi-gigabit DDoS attacks that can scale up to in excess of 500Gbps. The Botnet does not use anonymous infected computers, but instead a global testing network using dedicated co-located and cloud-based servers to generate the traffic.

These tests mimic user behaviour and often take advantage of web-based encryption (i.e. SSL), which can hide the attack from mitigation systems and services. The difficulty here is ensuring that WAF/mitigation systems can distinguish illegitimate traffic from legitimate traffic and minimise or eliminate false-positives. Aggressive mitigation can impact legitimate users and a test can help enumerate the risks or poor customer experience.

With activereach’s WAF attack test, you can check if your WAF configuration, implementation and features are able to block payloads (e.g. XSS or SQL Injection) before they get anywhere near your web applications.


Layer 7 (Lower volume, higher connections, low and slow, application attacks) that activereach can simulate include:

· BroBot
· DNS ANY Query
· DNS Reflection Attack
· Dynamic HTTP Flood
· Extreme Bot Attack
· HTTP/s Flood with Browser Enumeration
· HTTP GET Flood/HTTP Flooders
· HTTPS Flood
· PHP Hash Collision
· Pyloris
· RefRef
· SlowLoris
· Slow Post
· Tor’s Hammer

At the end of each WAF attack simulation, or other simulation vector, a Risk Score is provided, indicating the organization’s exposure, along with other KPI metrics and actionable guidelines to fine-tune controls and close security gaps.


An application attack directly targets a service or application at layer 7, the end user level. Huge problems can be caused with just one dedicated attack machine, and because attackers can get away with using low traffic rates, they can be difficult to detect and neutralise. Over the last couple of years this form of attack has become more and more commonplace.

HTTP GET attacks. The classic attack of this type is the HTTP (Hypertext Transfer Protocol) GET attack. A web server receives an HTTP GET command from a browser to request some kind of information – perhaps an image, some text, or the result of a database query.

An attacker simply uses a sufficient volume of HTTP GET requests – usually asking for resource-heavy information such as database queries. Like a protocol attack, the volume of inbound (request) traffic is low, but the target server can be overwhelmed very quickly. Unlike a protocol attack, the traffic looks legitimate and sophisticated techniques are required to distinguish between a user browsing the site, and a bot making spurious and damaging requests.

If you would like to talk to a PreSales Consultant regarding the activereach WAF Testing and Attack Simulation Service, please contact us on +44 (0)845 625 9025.