Penetration Testing, colloquially known as pen-testing, is a process where a system such as a website, network, API, server, computer, WiFi or infrastructure is tested for vulnerabilities using the same methods and tools a Cyber Attacker, or “Hacker”, would apply. Unlike a Cyber Attacker, a Penetration Tester is ethical so they share the vulnerabilities with the owner so they can be resolved. This means that any Cyber Attackers can no longer take advantage of that vulnerability. So, should you disable the WAF for penetration testing?
A WAF (Web Application Firewall) is a network filter typically for websites and APIs to protect against Cyber Attacks. The WAF has patterns and rules for detecting Cyber attacks and can block them before they reach the website/API. This is a good security layer and recommended for all websites. Should it be disabled for pen testing?
Firstly the Penetration Test is to test the website/API and not the WAF. This means if the WAF is very effective it will block a lot of the tests from reaching the website/API so we don’t actually know if the website/API is vulnerable to that attack. There could be vulnerable code that the developers are unaware of and they will likely copy this vulnerable code for other parts of the website/API. If there is a WAF bypass or the WAF is changed or disabled accidentally (which we see happen more often then you might expect) it will expose unknown vulnerabilities.
Secondly the WAF slows down the activity of the Penetration Tester as either they need try more attacks or try bypassing the WAF, which means they will have less time to test the website/API reducing the number of tests performed and vulnerabilities found.
Some people think to make it fair a Penetration Testing company should have as little information as possible so that it is the same information that a cyber attacker would have. This is great if you want to compare a Penetration Testing company against a Cyber attacker, but ultimately you want the Penetration Tester to find as many vulnerabilities as possible. So any advantage or extra information you can provide to the Penetration Tester increases the chances of them finding more vulnerabilities which allows you to resolve them and be more protected. We don’t want to be fair with the Cyber Attacker. We want them to be at a significant disadvantage while maximising your cyber security.
The WAF should be a second layer of protection, which means it should apply protection on top of a penetration tested website/API. This is to provide the greatest protection and greatest difficulty for a Cyber Attacker. So the WAF should be disabled for Penetration Testers (ideally using allowlisted IPs) to maximise the number of vulnerabilities that can be found during Penetration Testing.
Vertex Cyber Security is a trusted CREST approved Penetration Testing company. Contact Vertex if you have questions or require a penetration test.
