Forum Discussion
Building a policy based on DVWA and then using that same policy to product your app is not a good idea for a few reasons. First, unless the back-end server technologies used by your application are the same as DVWA, the attack signatures applied to requests for DVWA are not likely to be the same ones that would make sense for your app. Second, the policy isn't learning attack signatures. It is trying to match its own attack signature sets (assigned by you) to patterns that are detected in traffic and will then alert you when a potentially malicious character string is found. A better approach is for you to build a policy for your application and then configure a trusted IP address from which you send clean traffic. Automated tools such as iMacros would be fine for that--but only send valid requests which mimic legitimate traffic. Depending on the comprehensiveness of your policy, this might take a few hours or several days. After you are satisfied that the policy has learned legitimate behavior (requests for allowed file types, URLs, parameters, etc.) then you can place that policy into production. For penetration testing, you can try using the Kali attack server against your policy. Does this help?