- Detects and prevents Reflected and Stored XSS attacks by dropping requests or escaping dangerous characters
- Detects and prevents SQL injections by matching form input in vulnerable forms to SQL commands and escape characters
- Prevents DoS for the web server by rate limiting
- Supports TLS with HTTPS for requests
- Adds security headers requests
- Checks for breached emails/passwords
Blocked XSS
Detecting password found in a breach (using HaveIBeenPwned API)
Detecting email address found in breach
See the PDF for more pictures and information.
The project is available on docker hub here. Pull the container locally with:
docker pull docker.io/nineluj/py-waf-
Create venv for Python 3.8 (in the root directory of the project)
python --version > ... 3.8 ... python -m venv venv -
Active the venv in your shell
source venv/bin/activate -
Install the requirements
pip install -r requirements.txt
-
Validate the config. A sample config is provided in
config/config.sample.yml -
Run
./run.py --config <path to config>
Use a tool like minica to create the certificates. Make sure that the root certificate is trusted by your OS/browser (easiest is to trust in Firefox if you use that).
After that, edit your config to include:
use_ssl: Yes
ssl_cert: <path>.pem
ssl_key: <path>.keyRunning the flask app again should make the server run with HTTPS.
-
Run the testing container
docker run -it --name vuln_app -p 4040:4040 santosomar/vuln_app:latest /bin/bashOR
docker run --rm -it -p 4040:80 vulnerables/web-dvwa -
Run the WAF
docker run -v <local>:<container> -it pywaf --config <path_to_config>
- Run the testing container
podman run -it --name vuln_app --pod new:waf -p 4040:4040 -p 9991:80 santosomar/vuln_app:latest /bin/bash
- Run the WAF
podman run -it --pod waf -v <local>:/tmp/dir --rm pywaf -c /tmp/dir/config.yml