Monday, August 8, 2016

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app on the application level. Nowadays, a WAF action is not only defined by the web app. It’s not a customized solution specific to that application but similarly to a general software firewall, where one contains parameters to protect against intrusion in a wide variety of frameworks and codes.

Firewall burning invasors hehehe !

Let's go to clear your mind. There is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, with their specialized function for web applications, WAFs can take the form of input of either of those two main types. Per default, a firewall uses a blocklist, protecting against an individual, previously logged attacks.

Additionally, it can also use an allowlist, providing allowable users and instances of interaction for the application. Another function is to block SQL Injection attacks and XSS attacks... In another context, WAFs can create random tokens and put them in forms to stop web robots and automated attacks. This practice can try to mitigate CSRF pitfalls.


Before you ask, "how-to, I create my WAF ?" I have got to bring you some principles, anyway, the theory around facts.


Have two common WAFs:


 1-Uses plugin in HTTPd to get information of INPUT or OUTPUT, before the finish he receives the request and blocks some contents, this function focuses at HTTP METHODs POST, GET... 


2-this way is my favourite. It is an independent reverse proxy server. He brings all requests of the client to the proxy. The proxy makes some analysis in the content. If not, block, he sends all the information to the external server.



Number One is cold, and this path is not fully portable. Another bad thing is you need to create a different plugin for each HTTPd, something to apache another to NGINX, IIs, Lighttpd... it's not cool! If you are not an excellent low-level programmer. You can try using twisted python. It is easy to make a reverse proxy with it, but it is not the right way because not have good performance in production. If you piss off at it, study the Stevens book of sockets.


It is OK, the title of this post is "create waf in C", Task is entirely done here and commented and with some documentations in LaTex... relax, you can get it in this repository: https://github.com/CoolerVoid/raptor_waf

 

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use the select() function, is not better than epoll() or kqueue() from *BSD but is portable, the core of match engine using DFA to detect XSS, SQLi and path traversal, you can see here https://github.com/CoolerVoid/raptor_waf/tree/master/doc/test_dfa


 No more words, look at the following :




Thank you for reading this! 
Cheeers!

1 comment:

  1. I'm very glad to find this site! There is always a lot of important information. I like coming here.Thank you. Earning Money Online

    ReplyDelete

The magic of bits

 Before the long tale to the course of magic bits, let's gonna for a little walk in the world of C language. Variable of type int has 4 ...