Shulou(Shulou.com)06/01 Report--

1 、 ModSecurity

ModSecurity has a history of more than 10 years. It started as a security module of Apache, and later developed into an open source, cross-platform WEB application firewall. It can protect the website by checking the data received by the WEB service and the data sent out.

The most powerful is the famous security community OWASP, which develops and maintains a set of free application protection rules, which is the core rule set of the so-called OWASP's ModSecurity (CRS), which almost covers dozens of common WEB methods, such as SQL injection, XSS cross-site scripting, DOS and so on.

Project address: https://github.com/SpiderLabs/ModSecurity

2 、 HiHTTPS

Hihttps is a high-performance WEB application + MQTT Internet of things firewall with few complete source code, compatible with ModSecurity rules and open source. Features are super easy to use, about 10m executable file, but a full range of protection features, including: vulnerability scanning, CC & DDOS, password cracking, SQL injection, XSS*** and so on.

More importantly, the commercial version of hihttps, which is based on machine learning, is also free. The machine automatically collects samples for unsupervised learning and automatically generates confrontation rules. As we all know, WAF such as Aliyun / Tencent Cloud is so expensive that many small and medium-sized enterprises cannot afford it. You can download a free hihttps to try.

Project address: https://github.com/qq4108863/ official website: http://www.hihttps.com

3 、 Naxsi

Naxsi is a firewall based on Nginx module, which has its own rule definition and advocates low rules. The project is written in C language and needs to be proficient in Nginx source code to understand.

Project address: https://github.com/nbs-system/naxsi

4 、 OpenWAF

OpenWAF analyzes HTTP request information based on Nginx_lua API, which is composed of behavior analysis engine and rule engine, in which the rule engine mainly analyzes a single request, and the behavior analysis engine is mainly responsible for tracking cross-request information.

The rule engine is inspired by modsecurity and freewaf (lua-resty-waf), which implements the rule mechanism of ModSecurity with lua.

Based on the rule engine, you can provide security protection such as protocol specification, automatic tools, SQL injection, cross-site * *, information disclosure, abnormal requests and so on. You can add rules dynamically and fix vulnerabilities in a timely manner. The disadvantage is that it is complex and not suitable for developers who are not familiar with the Nginx and lua languages.

Project address: https://github.com/titansec/OpenWAF

5 、 FreeWAF

FeeWAF is an open source WEB application firewall product named FreeWAF. It works in the application layer and carries out two-way deep detection of HTTP: protect Internet in real time, avoid using application layer vulnerabilities to illegally obtain or destroy website data, and effectively resist all kinds of *, such as SQL injection, XSS, CSRF***, buffer overflow, application layer DOS/DDOS***, etc. At the same time, the error information, malicious content and substandard content responded by the WEB server are filtered in real time to avoid the leakage of sensitive information and ensure the reliability of the website information. But the project hasn't been updated for a long time.

6 、 ESAPI WAF

This is an open source WAF provided by the OWASP ESAPI project, based on J2EE implementation, which mainly uses the configuration of XML to drive the firewall. During installation, ESAPIWEBApplicationFirewallFilter is configured as filter in WEB.xml, and input and input are processed before and after the application.

7 、 unixhot

Unixhot uses Nginx+Lua to implement custom WAF. In a word, it is very simple to parse HTTP requests (protocol parsing module), rule detection (rule module), do different defense actions (action module), and record the defense process (log module).

Project address: https://github.com/unixhot/waf

8 、 Java WAF

There are very few WAF developed with Java, and we found an API Gateway developed using Java. Since WAF is built on top of the open source proxy LittleProxy, WAF uses Netty at the bottom. Functionally, it supports security interception, various analysis and detection, scripts (sandbox), flow control / CC protection, etc. Not knowing the C language is a blessing for Java enthusiasts.

Project address: https://github.com/chengdedeng/waf

9 、 X-WAF

X-WAF is a cloud WAF system for small and medium-sized enterprises, which makes it very convenient for small and medium-sized enterprises to have their own free cloud WAF. The core is based on openresty + lua development, waf management background: using golang + xorm + macrom development, support for binary deployment.

Project address: https://github.com/xsec-lab/x-waf

10 、 VeryNginx

VeryNginx is also developed based on lua_Nginx_module (openrestry) and implements advanced firewalls, access statistics, and other functions. The integration runs in Nginx, extends the functions of Nginx itself, and provides a friendly WEB interface.

Project address: https://github.com/alexazhou/VeryNginx/

Evaluation:

Traditional WAF rules have been difficult to deal with unknown vulnerabilities and unknown *. Commercial waf has shifted from traditional feature engineering to machine learning automatic defense. There is almost no open source waf in this area. Hihttps is the only free waf that supports machine learning. In the future, WEB security must be dominated by AI.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.