Web application firewall based on rules. Protected from popular web-vulnerabilities such as

• SQL-injection
• Path traversal
• NULL-byte injection
• etc.

1. Links extractor
2. Vulnerability detector
3. Proxy filter

• Links extractor. Takes a URL and tries to work around site recursively by links, keeping the values of the potential vulnerability GET/POST/COOKIE parameters.
• VulnerabilityDetecter. Using a list of links, trying to identify vulnerabilities options. This using time-based SQL-Injection attack. This application is multithreading and has CLI & GUI version; Based logic of test suites:

timeStart = time.now();
param="val ' AND SLEEP(15) -- -";
sendRequestToSite(URL + param);
timeEnd = time.now();
if (timeEnd - timeStart > 15) {
  print("SQL injection detected");
}

In GUI version you can specify host and parameters, cookie and GET or POST method

• ProxyFilter. Java proxy; Binds on localhost:8888 and check all request on vulnerability and block if detected attack. Also filter trying deobfuscation queries, for example persent-encoding

Every rule has weight, if URL contains a certain limit, the request is blocked. For example

• http://178.49.9.210/daredevil/sql_inj/tester_login/../login.php?login[]=l&password=p' or 1 --
• Path traversal .. - 3 points
• Array[] Parameter injection login[] - 2 point
• SQL-injection password=p'or 1 -- - 3 points
• Sum is 8. If sum > 5 such request is blocked. Rules contains in SQLite database;
• Also analyze http response. For example if page show SQL-error such as "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''VALUE''')". This response not sends to client.

Every blocked requests stored in SQLite, and displays as html page. For example:

SQLite database contains table blacklistIp; All ip clients with such IP address will be blocked. To add IP-address into table use some SQLite manager, for example http://sqlitebrowser.sourceforge.net/; SQLite database contains table whitelist; You can insert into table part of url which cannot be analyse on vulnerabilities. For example: applications phpmyadmin, jira, redmine, etc, may generate false positives. For example see request for Show all entries in table in phpmyadmin.

POST http://127.0.0.1/tools/phpmyadmin/sql.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 135

db=panel_prototype&table=domains&sql_query=SELECT+*+FROM+%60domains%60&pos=0&session_max_rows=all&goto=tbl_structure.php&navig=Show+all

We don't know combination of vulnerability scanner + WAF. List of scanners & WAFs;

• AppScan
• XSpider - really cool scanners, but commercial
• Naxsi - open source plugin for Nginx; rule-weight analysis
• [email protected] - open source WAF, rule-based analysis