Monday, August 8, 2016

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. nowadays, a WAF is not defined by the web app, it’s not a customized solution specific to that application but similarly to a general software firewall, where one that contains parameters to protect against intrusion in a wide variety of frameworks and codes.

Firewall burning invasors hehehe !
Trying clear your mind, there is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, WAFs with their specialized function for web applications, can take the form input of either of those two main types. Per default, a firewall uses a blacklist, protecting against an individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application, another function is block SQL Injection attacks and XSS attacks... Another context  WAFs can create random tokens and put in forms to try blocks web robots and automated attacks, this practice can try mitigate CSRF pitfalls.
Before you ask "How i can do  it?", i gotta bring to you some principles, anyway the theory around facts...

Have two common WAFs:

1-Uses plugin in HTTPd to get information of data INPUT or OUTPUT, before finish he gets the request and block some contents, this function focuses at HTTP METHODs POST, GET... 
2-this way, is my favorite, is a independent reverse proxy server, he bring all requests of the client to the proxy, the proxy makes some analysis in the content, if not block, he send all the information to the external server...

Number One is a cold, this path is not fully portable... other bad thing you need create a diferent plugin each HTTPd, something to apache another to NGINX, IIs, lighttpd...  its not cool! If you are not a good low level programmer... you can try use twisted of python, is easy make reverse proxy with it, but is not good way, because not have good performance in production... if you piss off for it, study the Stevens book of sockets.

Its OK, the title of this post is "create waf in C", Task fully done here and commented and with some documentations in LaTex... relax, you can get it in this repository:
Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable,  the core of match engine using DFA to detect XSS, SQLi and path traversal, you can see here
 No more words, look at the following :

Thank you for reading this! 

1 comment:

  1. I'm very glad to find this site! There is always a lot of important information. I like coming here.Thank you. Earning Money Online