Skip to content

kaushikd49/waf

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
src
src
 
 
.gitignore
.gitignore
 
 
NetSec Project Report.pdf
NetSec Project Report.pdf
 
 
Presentation_PPTs.pptx
Presentation_PPTs.pptx
 
 
README.md
README.md
 
 
access_waf.log
access_waf.log
 
 

Repository files navigation

###Web Application Firewall

A web application firewall (WAF) is a system running in-front of a web server that is responsible of inspecting all traffic coming from the Internet and relaying it to the actual web server. If a WAF sees traffic that contains an attack, it should just drop the request and do not forward it to the application. WAFs have the ability to protect (to a certain extent) vulnerable web applications by ensuring that malicious traffic never reaches the vulnerable code.

In this project, we designed and implemented a Web Application Firewall that "sits" in-front of a web server. We implemented the WAF as an Apache Module. The WAF recognizes malicious requests using two methods: signatures and anomaly detection.

The details of the project are in the report.

#####Detection Methods

  • Signatures

    In this mode, our WAF should support a database of signatures that are characteristic of maliciousness. The design has a way to encode signatures, so that we can specify where exactly is the string that we want to match.

  • Anomaly Detection

    While signatures are a great way to stop known attacks, they can't stop attacks that do not have corresponding signatures. In anomaly detection, we can "learn" how legitimate traffic looks like and then if some future traffic is too different from what we've learned, we do not allow it to proceed. Here, we split the system in a training phase and an online phase. In the training phase, the WAF does not stop anything. It just collects information about all traffic passing through it. The user is then trying to use the website as much as possible, click on all possible links, and perform all possible actions. When the user is satisfied that she has exercised the web application as much as possible, it asks the WAF to create a normality profile. The WAF will look through all requests and try to make generalized rules. For this project, we learn automatically the following things: Maximum number of parameters seen for all requests across all pages Maximum number of parameters seen for every specific page Average length of values for every specific parameter of every specific page E.g. the average length of the values of the parameter foo on example.com/index.php is 12 characters Character set of any specific parameter E.g. the parameter name on example.com/#.phpwas always comprised out of letters and numbers, but never out of special characters The detection should happen as follows: For profiles involving maximum number of parameters, drop requests that exceed that maximum number For profiles involving averages, assume a normal distribution, compute the standard deviation, and drop all values that are not part of the mean+-3*sd For profiles involving character sets, drop requests with parameters containing character from sets not seen during training

####Overall

Together with the WAF we delivered a web application where the WAF is trained upon.

About

NetSec project

Resources

Readme
Activity

Stars

2 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages