the program doesn't work

[morf13111986]

I don’t want to start scanning at all.
I did everything according to the instructions.
I made changes to the config.py file, indicating the application that needs to be scanned and which is located behind the WAF.
But when launched, Health check passed works, but WAF functionality check failed gives an error. As far as I understand, the scan does not work. But I can’t understand why.

[Boris-Rozenfeld]

Hello, @morf13111986

If you encounter the "WAF functionality check failed" message, it indicates that the WAF did not successfully block a malicious payload. Please ensure that your WAF can intercept and block the following payload:
/<script>alert(1)</script>

You can reference the specific code related to this here.

Once you've made the necessary adjustments, rerun the tool.

Thank you!

[sidoverflow]

@Boris-Rozenfeld My WAF is in Prevent mode and I can see the requests being blocked on the openappsec portal with a 403, but I'm still getting ERROR | WAF functionality check failed. Any thoughts?

[Boris-Rozenfeld]

@sidoverflow, just cheked with a clean Open-AppSec environment and the "WAF functionality check passed".
For troubleshooting your issue, kindly consider the following two steps:

1. Execute the command below from the source machine where the tool is running:
   curl -i http://<target_ip>/<script>alert(1)</script>
   The expected response should have a status code of 403.

2. Review the config.py file carefully:

• Ensure accurate typing of the target URL.
• If the tool is intended to run against a single target, the "WAFS_DICT" object should list only that specific target.

Please give these suggestions a try and let me know if they assist you in resolving the issue.

[sidoverflow]

I believe my issue was the default web response page by open-appsec which was likely running into unexpected EOF errors. I configured the asset to return a plain 403 status code. That seemed to work, now the health and functionality checks are fine!