RubyWAF is a simple application built using Ruby and Sinatra as a web framework. It functions as a Web Application Firewall (WAF) to protect web applications from malicious attacks such as brute-force, access to sensitive paths, and exploitation of common vulnerabilities such as XSS (Cross-Site Scripting). By utilizing Ruby as a programming language and some specialized middleware, RubyWAF can analyze, detect, and block malicious attacks quite easily and quickly.
- Blocking Brute-force Fuzzing Tools RubyWAF has a feature to detect attacks that use automated tools such as directory fuzzing or brute-force attacks. These brute-force attacks are often used to find hidden directories or endpoints in web applications. This WAF detects IPs that make too many requests and blocks these IPs after exceeding the specified limit.
- Pros: Prevents IPs that try to brute-force to find sensitive files or directories.
- Logic: If one IP makes more than 100 requests in a short period of time, it will be blocked to avoid brute-force.
- Blocking Access to Sensitive Paths
One of the most common threats in web applications is unauthorized access to sensitive paths or files, such as
/admin,/config, or/db. This feature utilizes a YAML-based configuration file that stores a list of sensitive paths that should not be publicly accessible. If a request tries to access these paths, WAF automatically blocks it.
- Pros: Prevents hackers or attackers from accessing vulnerable or critical paths in the application.
- Configuration: Sensitive paths can be easily updated via the
sensitive_paths.ymlfile.
- Request Analysis to Detect XSS Attacks
The WAF is also equipped with the ability to analyze incoming requests to detect potentially malicious payloads, such as XSS payloads. This is done by examining the parameters in the request and detecting any suspicious script patterns, such as
<script>. If a suspicious payload is found, WAF will give a 400 Bad Request response.
- Pros: Protects applications from script injection-based attacks such as XSS, which can steal user data or run malicious code in the user's browser.
- Modular and Easy to Develop RubyWAF is designed with a modular approach. Each core functionality, such as IP blocking and sensitive path blocking, is implemented as a separate middleware. This approach allows developers to easily add features or update logic in individual modules without affecting the entire system.
- Pros: Easy to customize and extend as per additional security needs or desired business logic.
- Flexibility in Feature Additions RubyWAF can be easily extended to support other features, such as:
- Blocking SQL Injection attacks: By adding a module to detect malicious SQL patterns in request parameters.
- Rate Limiting: Detect and block requests that exceed a certain limit to prevent DoS (Denial of Service).
- Activity Monitoring: Logs any suspicious requests and stores the information for further analysis or continuous detection.
- Configuring Sensitive Paths with YAML
Using the
config/sensitive_paths.ymlconfiguration file, administrators can easily manage sensitive paths that need to be protected. This allows for great flexibility without the need to change the program code directly.
Requirements:
- Ruby: The latest version of Ruby must be installed on your system.
- Bundler: Used to manage Ruby dependencies. If not already installed, you can install it with:
gem install bundler
- Clone Repository:
git clone https://github.com/functionofpwnosec/RubyWAF
cd RubyWAF
- Install Dependencies: Once you are inside the project folder, run it:
bundle install
- Run the App: To run the WAF application:
ruby waf.rb
Access the Web Application: Once the application is running, you can access it through your browser at http://localhost:4567.
PwnWAF can be further developed by adding other features according to your specific needs. Some ideas that could be implemented include:
- Detection of SQL Injection attacks by analyzing query patterns.
- Logging of suspicious activity for further analysis.
- Integration with alert systems to send notifications in the event of an attack.
Thus, this WAF not only protects against simple attacks, but also provides a solid foundation for protecting web applications from more complex threats in the future.