Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  LAB Testing of Imperva Cloud WAF

    Posted 09-22-2024 21:28

    Hello All,

    I am doing Cloud WAF testing. I need information regarding how can i do PoC in Cloud WAF.

    How can i create a web application so that we can test any vulnerable URL we can access from outside and how Cloud WAF will protect.

    What would be the traffic Flow for my LAB environment?

    Waiting for your response.

    Regards,

    Chrish


    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Chrish John Vicente
    Presales Engineer
    Exclusive Networks Singapore Pte. Ltd.
    Singapore
    ------------------------------


  • 2.  RE: LAB Testing of Imperva Cloud WAF

    Posted 10-22-2024 08:57
    Edited by Sasith Senanayake 10-22-2024 08:57

    Hi Chrish,

    Please reach out to your local Imperva distributor to get a trial tenant created.

    Once the tenant is created you need to have a FQDN with a working backend to do the POC. What I would suggest is to setup a VM on cloud or in your on-premise environment and install a vulnerable application such as DVWA or webgoat. Once the DVWA or webgoat application is setup configure public access through a public IP address by configuring the necessary NAT rules. Next you will need to purchase or use a testing domain and configure the public IP address as an A record. So now you will have a working web application behind a working FQDN. Onboard this to Imperva CWAF and set it up. Once everything is configure you may start attacking the DVWA application. You will be able to see that Imperva blocks the attacks. These events will be visible as alerted/blocked events. You may proceed to carry out the rest of the POC by finetuning and configuring the settings accordingly.

    To test the rest of the features you might need a proper application other than DVWA/Webgoat running on the backend such as an application with APIs (for API Security), one which talk to third party domains and JavaScript's (for CSP), one which has a login page (ATO) etc.

    Hope this is helpful for you.



    ------------------------------
    Sasith Senanayake
    Engineer
    Connex Information Technologies (Pvt) Ltd.
    http://www.connexit.biz
    Colombo
    ------------------------------