A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ๐Ÿพ

WAFLab is a web-based platform for testing WAFs.

Live Demo

https://waflab.org/

Architecture

WAFLab contains 2 parts:

Name Description Language Source code
Frontend Web frontend UI for WAFLab Javascript + React + Ant Design https://github.com/microsoft/waflab/tree/master/web
Backend RESTful API backend for WAFLab Golang + Beego + MySQL https://github.com/microsoft/waflab

Installation

Prerequisites

Server-side

Get the source code from Github via Git

git clone https://github.com/microsoft/waflab.git

Set up the database

WAFLab use database to store generated testcases and test results.

Prepare a Xorm ORM supported database (MySQL is recommended), replace root:123@tcp(localhost:3306)/ in conf/app.conf with your own connection string. WAFLab will create a database named waflab and necessary tables in it if not exist. All Xorm supported databases are listed here.

Setup Go backend

Git clone the OWASP ModSecurity Core Rule Set (CRS) and WAFBench under a same directory

git clone https://github.com/microsoft/WAFBench.git
git clone https://github.com/coreruleset/coreruleset.git

Pick the CRS version you would like to use. We use CRS v3.2 as an example here.

cd coreruleset
git checkout --track origin/v3.2/master

Set the CodeBaseDir inside waflab/util/const.go to the directory of WAFBench and CRS.

const CodeBaseDir = "DIRECTORY/OF/WAFBENCH/AND/CRS"

Run Server-backend (at port 7070 by default):

cd waflab
go run main.go

Setup frontend web UI

Install the frontend dependencies with NPM (or Yarn if you like):

cd waflab/web
npm install

Run frontend (at port 7000 by default):

npm start

WAFLab web UI is now avaliable at: http://localhost:7000

Build frontend into static files and it will be served by Go server at port 7070 together with backend API:

npm build

License

This project is licensed under the MIT license.

If you have any issues or feature requests, please contact us. PR is welcomed.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Owner
Microsoft
Open source projects and samples from Microsoft
Microsoft
https://github.com/microsoft/waflab https://waflab.org
Comments
  • Bump moment from 2.29.1 to 2.29.2 in /web

    Bump moment from 2.29.1 to 2.29.2 in /web

    Bumps moment from 2.29.1 to 2.29.2.

    Changelog

    Sourced from moment's changelog.

    2.29.2 See full changelog

    • Release Apr 3 2022

    Address https://github.com/advisories/GHSA-8hfj-j24r-96c4

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Content-Length is now an Integer instead of String

    Content-Length is now an Integer instead of String

    This PR changes the type of payload header from map[string]string to map[string]interface{} to allow passing non-string content (ex. Content-Length) to request's headers.

  • Add http timeout prompt

    Add http timeout prompt

    1. Add http timeout prompt
    2. Change the way to get host name, by using the standard pkg: net/url (I think this new way is more reasonable, but it requires that the scheme must be specified in the input URL)
    3. If DNS resolution fails, give a prompt and return
    4. DNS resolution failure caused by "the test endpoint is the machine that made the request" is not fixed. However, this situation triggers 3., so the user is prompted at this point
  • Feat: progress bar UI

    Feat: progress bar UI

    • Add progress bar UI by using github.com/gizak/termui
    • When the test finished, you can press the "Up" and "Down" keys to scroll through the results list and then press the "Q" key to exit
  • Fixes multiple bugs in AutoGen generation

    Fixes multiple bugs in AutoGen generation

    This PR contains

    • remove unused code in the codebase
    • fix rule 920270: fix validateByteRange
    • fix rule 941310: fix t:jsDecode
    • fix rule 944200: add flag to notify RegexGeneration that do not use UTF-8 encoding
  • Optimize WAFLab initialization process

    Optimize WAFLab initialization process

    This PR adds

    • automatically fetch the coreruleset and WAFBench repo from Github to repo directory
    • add warning for user to install Docker when failed to init Docker daemon
  • Add Post-Processing Module and Optimize Error handling

    Add Post-Processing Module and Optimize Error handling

    This PR

    • added a post-processing module within AddVariable to check if it add any illegal character into the request struct
    • added a ErrNotSupport and ErrReject Error struct for better error handling at upstream
  • Remove docker gunicorn worker boot check

    Remove docker gunicorn worker boot check

    As title suggested, the gunicorn worker boot check brought more bugs than the problem (receiving request while gunicorn is not fully prepared) it prevents. Therefore, we decide to remove this check from the docker restart workflow.

  • Add Docker client health check

    Add Docker client health check

    This add following functionalities

    • allow the backend to run without Docker Engine
    • add /api/get-docker-health to check Docker's health at backend
    • call /api/get-docker-health everytime before calling /api/get-result at frontend
  • Bump moment from 2.29.1 to 2.29.4 in /web

    Bump moment from 2.29.1 to 2.29.4 in /web

    Bumps moment from 2.29.1 to 2.29.4.

    Changelog

    Sourced from moment's changelog.

    2.29.4

    • Release Jul 6, 2022
      • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

    2.29.3 Full changelog

    • Release Apr 17, 2022
      • #5995 [bugfix] Remove const usage
      • #5990 misc: fix advisory link

    2.29.2 See full changelog

    • Release Apr 3 2022

    Address https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

  • Error generating tests for coreruleset v3.4/dev branch

    Error generating tests for coreruleset v3.4/dev branch 

    root@docker-desktop:/go/src/app/repos/coreruleset# git checkout v3.4/dev
Switched to branch 'v3.4/dev'
Your branch is up to date with 'origin/v3.4/dev'.
root@docker-desktop:/go/src/app/repos/coreruleset# cd ../..
root@docker-desktop:/go/src/app# waflab generate
repos/coreruleset/rules
2021/12/16 13:41:41 Err while parsing rule string SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
  • How does `logContains` work for you?

    How does `logContains` work for you?

    Hi! I'm wondering how are you reading logs for testing that the waf is matching.

    • from reading the logContains method in https://github.com/microsoft/waflab/blob/5a38a39175b04b2b9bf78816bc98ec60dd8f9718/cmd/command/test.go#L304, the match looks only a regexp match in the file
    • this will not work unless each test fires up one and just one rule per test. That is not the common case.

    ๐Ÿ‘‰ what ftw and go-ftw have been doing is reading the log backwards until the time of the request. I don't see that here.

    Can you please explain what is your use case, and how does it work for you?

  • Command `waflab generate` panics generating tests

    Command `waflab generate` panics generating tests

    Hi Team!

    Cannot get waflab generate to work. After building the container, generate panics:

    root@docker-desktop:/go/src/app# waflab generate repos/coreruleset/rules/ repos/coreruleset/tests/regression/ -c 1
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0xbbc209]

goroutine 1 [running]:
github.com/waflab/waflab/cmd/command.generateTestfile.func1(0x0, 0x0, 0x0, 0x0, 0xe66c20, 0xc00036d380, 0x2, 0x2)
	/go/src/app/cmd/command/utils.go:21 +0x49
path/filepath.Walk(0x0, 0x0, 0xc00035fc70, 0x32, 0x135e840)
	/usr/local/go/src/path/filepath/path.go:499 +0x7e
github.com/waflab/waflab/cmd/command.generateTestfile(0x0, 0x0, 0x1, 0x3, 0x3, 0x2, 0xc00000f980, 0xc00035fd58)
	/go/src/app/cmd/command/utils.go:20 +0x85
github.com/waflab/waflab/cmd/command.generate(0x1320c60, 0xc0003a0e80, 0x2, 0x4)
	/go/src/app/cmd/command/generate.go:37 +0x9a
github.com/spf13/cobra.(*Command).execute(0x1320c60, 0xc0003a0e40, 0x4, 0x4, 0x1320c60, 0xc0003a0e40)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:856 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x1320ee0, 0xc00035ff58, 0x2, 0x2)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:960 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:897
github.com/waflab/waflab/cmd/command.Execute()
	/go/src/app/cmd/command/root.go:35 +0x7d
main.main()
	/go/src/app/cmd/main.go:6 +0x25
  • Problem starting using compose

    Problem starting using compose

    Trying to get this working, but fails on docker compose up:

    โฏ docker compose up
[+] Running 2/0
 โ ฟ Container waflab_frontend_1  Created                                                                           0.0s
 โ ฟ Container waflab_backend_1   Created                                                                           0.0s
Attaching to backend_1, frontend_1
backend_1   | {"status":"Pulling from waflab/wafbench","id":"latest"}
backend_1   | {"status":"Digest: sha256:1e94302e53cee0e390b2b7a13fb28f971fa39ac99f9a9b0a0d7a9fef7e0520c0"}
backend_1   | {"status":"Status: Image is up to date for waflab/wafbench:latest"}
backend_1   | panic: Error response from daemon: container cannot be disconnected from host network or connected to host network
backend_1   |
backend_1   | goroutine 1 [running]:
backend_1   | github.com/waflab/waflab/docker.MakeMaster(0x5, 0x200000003)
backend_1   | 	/go/src/app/docker/master.go:134 +0x410
backend_1   | github.com/waflab/waflab/object.InitMaster(...)
backend_1   | 	/go/src/app/object/run.go:18
backend_1   | main.main()
backend_1   | 	/go/src/app/main.go:15 +0x34
backend_1 exited with code 2

    Is something additionally required?

Related tags
Security waf modsecurity modsecurity-core-rule-set core-rule-set
Akuma Scan comes with the purpose of scanning/detecting WAF (Web Application Firewall) on a certain website. Made to be easy, accurate and agile.

.m. ,_ ' ;M; ,;m ` ;M;.

Mar 21, 2022
Open Source Web Application Firewall
 Open Source Web Application Firewall

DEPRECATED This repository started as a good idea but I didn't have enough time or desire to work on it. So, it's left here for historical / education

Nov 24, 2022
Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)

wf What This is a package for controlling the Windows Filtering Platform (WFP), also known as the Windows firewall. See its docs: https://godoc.org/in

Dec 6, 2022
Coraza Server is the most ambitious implementation of Coraza WAF

Coraza Server is the most ambitious implementation of Coraza WAF, it's designed to integrate with systems written in different languages, like C, using multiple protocols like SPOA, REST and GRPC.

Dec 29, 2022
Coraza WAF Gin-gonic middleware

This is a test middleware for Ginonic powered by Coraza Web Application Firewall. You may check the WAF documentation at coraza.io Looking for contrib

Nov 9, 2022
zero-trust remote firewall instrumentation
 zero-trust remote firewall instrumentation

ShieldWall embraces the zero-trust principle and instruments your server firewall to block inbound connections from every IP on any port, by default.

Jan 1, 2023
CrowdSec - an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network.
 CrowdSec - an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network.

?? Documentation ?? Configuration Hub ?? Discourse (Forum) ?? Gitter (Live chat) ?? This is a community driven project, we need your feedback. <TL;DR>

Jan 5, 2023
A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App
 A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App

A declarative Cloud firewall reverse proxy solution with inbuilt DDoS protection and alerting mechanism to protect your servers and keeping an eye on those malicious requests

Aug 10, 2022
Application - A software-as-a-service available to clients globally as a multi-tenant elastic solution based on the Bhojpur.NET Platform

Bhojpur Application - Foundation Framework The Bhojpur Application is a primary

Sep 26, 2022
A vulnerable graphQL application, for testing purposes

Vulnerable-GoQL Vulnerable-GoQL is an web API which implements main security breach.

Jul 31, 2021
Based on user32.dll, go language is implemented to call function MessageBoxW of Windows platform
 Based on user32.dll, go language is implemented to call function MessageBoxW of Windows platform

go-mbw ไธ€ไธช้€š่ฟ‡user32.dll่ฐƒ็”จ Windows ๅนณๅฐ็š„MessageBoxWๅ‡ฝๆ•ฐ็š„ Go ่ฏญ่จ€ๅบ“ A Go lib for call windows platform function MessageBoxW from user32.dll. ๅฎ‰่ฃ…(Install) go get g

Oct 27, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Dec 27, 2022
Declarative penetration testing orchestration framework

Decker - Penetration Testing Orchestration Framework Purpose Decker is a penetration testing orchestration framework. It leverages HashiCorp Configura

Nov 10, 2022
kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA
 kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA

Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by to NSA and CISA Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

Jan 8, 2023
Health-go - Web based app for health tracking and monitoring (Go port)

Health Web based app for health tracking and monitoring. Work in progress. Installation Clone the repository: git clone [email protected]:jonathantorr

Dec 31, 2021
Shfz - Scenario-based fuzzing test execution tool for web applications
 Shfz - Scenario-based fuzzing test execution tool for web applications

shfz A scenario-based web application fuzzng tool that supports fuzz generation

Nov 9, 2022
A Flask-based HTTP(S) command and control (C2) framework with a web frontend. Malleable agents written in Go and scripts written in bash.

โ–„โ–„โ–„โ–„ โ–ˆโ–ˆโ–“ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–’โ–ˆโ–ˆโ–€โ–ˆโ–ˆโ–ˆ โ–’โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–„โ–„โ–„โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–“ โ–“โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–„ โ–“โ–ˆโ–ˆโ–’โ–“โ–ˆโ–ˆ โ–’โ–“โ–ˆโ–ˆ โ–’ โ–ˆโ–ˆโ–’โ–’โ–ˆโ–ˆโ–’ โ–ˆโ–ˆโ–’โ–’โ–ˆโ–ˆ โ–’ โ–“ โ–ˆโ–ˆโ–’ โ–“โ–’ โ–’โ–ˆโ–ˆโ–’ โ–„โ–ˆโ–ˆโ–’โ–ˆโ–ˆโ–’โ–’โ–ˆโ–ˆโ–ˆโ–ˆ โ–‘โ–“โ–ˆโ–ˆ โ–‘โ–„โ–ˆ โ–’โ–’โ–ˆโ–ˆโ–‘ โ–ˆโ–ˆโ–’โ–‘

Dec 24, 2022
โœ’ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder
 โœ’ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

iOS Signer Service A self-hosted, cross-platform service to sign iOS apps using any CI as a builder Introduction There are many reasons to install app

Jan 7, 2023
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure.

SingularityCE Guidelines for Contributing Pull Request Template Project License Documentation Support Citation SingularityCE is the Community Edition

Jan 5, 2023