Look at the WAF rules you've enabled, likely some flavor of the OWASP top 10.
If you want to test them you can run a penetration test tool like OWASP ZAP or similar.
Depending on how your WAF is configured you'll be able to see in the logs the offending requests and if it's in prevention mode those calls will be blocked.
Thats great to hear! If you (or anyone else) has a ZAP "Success Story" you would be happy sharing then we'd be delighted to feature them on https://www.zaproxy.org/success/ :)
There are a couple of tools that can help you when you want to pentest your project. Make sure to test against a development or testing environment so you don't break a production site.
There are a lot of other tools, but these 3 should be enough to get you started.
If you have the time and resources to learn, have a look at OWASP ZAP - https://www.zaproxy.org/. It's a free tool and if you're just getting started, they have an Automated Scan that is fairly easy to use (just plug in your website or webapp URL) built in that can help you identify the core vulnerabilities of your server configurations etc.
Looks like the free open source zed attack proxy has discovery rules for it now.
No time like the present to get started with scanning.
https://www.zaproxy.org/docs/desktop/addons/active-scan-rules-alpha/
I would guess the answers are going to depend on the kind of risks you're trying to drive down. If it's just compliance, a tool like ZAP can be fine. If your app is a modern one, or you have real security concerns, you will likely want to invest in tooling rather than limiting to just open source ones
Having said that, ZAP publishes a docker image that one can drive via its API, which may fit into the services:
model of GLCI, with the main image:
of the job being the orchestration of ZAP and formatting the output as you wish
Hey scott thank you very much Regarding your questions here are the few links you might find it useful https://www.zaproxy.org/zap-in-ten/ https://www.zaproxy.org/zap-deep-dive/ you can join owasp slack channel and ask the question there's
I'd explore the OWASP ZAP documentation. https://www.zaproxy.org/docs/
There is literal checklists deep in the documentation or more high level tutorials on how to setup a scanner, launch automated scans, and generate reports. There are step by step instructions for how to test for each vulnerability type.
Zap is a excellent tool for that and is technology agnostic: https://www.zaproxy.org/
Each exploit is enough detailed to correct by yourself.
Last advice : zap really breaks your app, use it on an isolated (local, alpha, ...) version.
Overall a very solid checklist for each category, nice article!
Re: Tooling/Code Quality: There are also run-time analysis tools like OWASP ZAP that scans running instances of your APIs, apps, etc. In my previous company, we had light-weight microservices, and we were able to easily incorporate these scans as part of our CI before merging.
If you go to web application security, you do not need to install linux. You can simply search for alternative program on your system. For example tool such as OWASP ZAP (https://www.zaproxy.org/) can be installed on all OS.
When learning explotation it is more important to understand method of explotation rather than having tool to do it for you.
ZAP passively scans all of the requests and responses that you proxy through it, or that are sent by any of its tools.
So you can launch your browser from ZAP and that will automatically proxy through ZAP - then you can start exploring the site manually. Or you can use the standard spider (good for traditional sites) and/or the ajax spider (good for sites that use lots of javascript) to explore the site for you.
For more details see the ZAP Getting Started Guide https://www.zaproxy.org/getting-started/
You should not use the active scanner unless you have permission to test that site.