Skip to content

SentinelTest: WAF Testing Made Simple

A Go-based tool designed to validate Web Application Firewall (WAF) configurations through systematic HTTP request testing and response validation.

The Problem

Web Application Firewalls are critical security components, but how do you know if they're actually working? Manual testing is time-consuming and error-prone. Traditional security scanning tools are often too complex for simple validation tasks. What we needed was a lightweight, configurable tool that could systematically test WAF rules and provide clear results.

The Solution: SentinelTest

SentinelTest is a focused tool that bridges the gap between manual testing and complex security scanners. It's designed with simplicity and automation in mind.

Key Features

  • YAML-Driven Configuration: Define test scenarios in human-readable YAML files
  • Flexible Validation: Validate response status codes, headers, and body content
  • Automated Reporting: Generate detailed test reports.
  • CI/CD Integration: Perfect for automated security testing pipelines

Architecture Overview

SentinelTest follows a clean, modular architecture:

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   YAML Config   │───▶│  Test Engine    │───▶│   Validator     │
└─────────────────┘    └─────────────────┘    └─────────────────┘
                                │                       │
                                ▼                       ▼
┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   HTTP Client   │    │  Report Gen     │    │   Results       │
└─────────────────┘    └─────────────────┘    └─────────────────┘

Configuration Example

Here's how you define a test scenario:

apiVersion: sentinel-test/v1
kind: SentinelTest
metadata:
  name: comprehensive-waf-test
spec:
  target:
    baseUrl: https://your-application.com
    timeout: 30s
  tests:
    - name: sql-injection-login
      description: "Test SQL injection protection on login endpoint"
      request:
        method: POST
        path: /api/auth/login
        headers:
          Content-Type: application/json
        body: |
          {
            "username": "admin' OR 1=1--",
            "password": "password"
          }
      expected:
        status: [403, 400]
        headers:
          X-WAF-Block: present

    - name: xss-comment-field
      description: "Test XSS protection on user input"
      request:
        method: POST
        path: /api/comments
        body: |
          {
            "comment": "<script>alert('xss')</script>"
          }
      expected:
        status: [403, 422]

    - name: directory-traversal
      description: "Test path traversal protection"
      request:
        method: GET
        path: /files?path=../../../etc/passwd
      expected:
        status: [403, 404]

Installation and Usage

Getting started is straightforward:

# Install SentinelTest
make install

# Run tests
sentineltest run --config waf-tests.yaml

# Generate detailed report
sentineltest run --config waf-tests.yaml --output json --report detailed.json

Real-World Application

At Arkose Labs, we use similar approaches to validate our fraud detection systems. The principle is the same: systematic testing of security controls with predictable, repeatable results.

Use Cases

  1. CI/CD Integration: Automated WAF testing on every deployment
  2. Security Audits: Systematic validation of security configurations
  3. Regression Testing: Ensure security rules don't break functionality
  4. Compliance: Document security control effectiveness

Technical Insights

Design Decisions

  • YAML Configuration: Human-readable and version-controllable
  • Declarative Approach: Focus on what to test, not how
  • Modular Validation: Extensible validation rules
  • Clean Output: Both human and machine-readable results

Future Enhancements

The project roadmap includes:

  • Plugin System: Custom validation rules
  • Web UI: Browser-based test management
  • Metrics Integration: Prometheus/Grafana support
  • Advanced Reporting: HTML and PDF reports
  • Template Library: Pre-built test scenarios

Lessons Learned

Building SentinelTest reinforced several important principles:

  1. Simplicity Wins: A focused tool beats a complex one
  2. Configuration as Code: YAML configs enable version control
  3. Clear Feedback: Good error messages save hours of debugging
  4. Automation First: Design for CI/CD from the start

Try It Yourself

The project is open source and available on GitHub:

Whether you're securing web applications, validating WAF configurations, or building security automation pipelines, SentinelTest provides a solid foundation to build upon.