Skip to content

souhayla-dvp/WAF-Project

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 

Repository files navigation

WAF Project - Web Application Firewall

A comparative analysis of three WAF approaches protecting DVWA (Damn Vulnerable Web Application):

  1. Unprotected - DVWA with no protection
  2. Open-Source WAF - OWASP ModSecurity CRS (nginx)
  3. Custom WAF - Python reverse proxy with regex-based detection

Architecture

Browser --> :80   (DVWA direct - no protection)
Browser --> :8080 (ModSecurity CRS - open-source WAF)
Browser --> :9090 (Custom WAF - Python reverse proxy) --> :80 (DVWA)

Prerequisites

Quick Start

1. Start DVWA and ModSecurity (Docker)

cd Code-files
docker compose up -d

This starts:

  • DVWA on http://localhost (port 80)
  • ModSecurity CRS on http://localhost:8080

2. Start the Custom WAF

Open a separate terminal:

cd Code-files
python waf.py

The custom WAF starts on http://localhost:9090 and forwards clean traffic to DVWA.

3. Set Up DVWA

  1. Go to http://localhost
  2. Click Create / Reset Database
  3. Login with admin / password
  4. Go to DVWA Security and set it to Low

4. Access Points

URL Protection
http://localhost None (unprotected)
http://localhost:8080 ModSecurity CRS
http://localhost:9090 Custom WAF

Custom WAF Features

  • 33 detection rules across 7 attack categories:
    • SQL Injection (10 rules)
    • Cross-Site Scripting (9 rules)
    • Path Traversal (3 rules)
    • Command Injection (4 rules)
    • SSRF (3 rules)
    • Protocol Attacks (3 rules)
    • LDAP Injection (1 rule)
  • Multi-layer input normalization - recursive URL decoding, HTML entity decoding, null byte stripping
  • Rate limiting - 100 requests/60s per IP with auto-block
  • Response hardening - injects security headers (X-Frame-Options, X-Content-Type-Options, etc.)
  • Cookie hardening - enforces HttpOnly and SameSite=Strict flags
  • Server masking - hides backend server identity
  • Structured JSON logging with unique incident IDs

Testing

Run the Automated Test Suite

With the WAF running, open another terminal:

cd Code-files
python test_&_analysis.py

This runs 33 attack payloads and 10 legitimate requests against all three setups and produces a comparison report.

Run Nikto Scanner (via Docker)

# Scan unprotected DVWA
docker run --rm --add-host=host.docker.internal:host-gateway alpine/nikto -h http://host.docker.internal:80

# Scan ModSecurity CRS
docker run --rm --add-host=host.docker.internal:host-gateway alpine/nikto -h http://host.docker.internal:8080

# Scan Custom WAF
docker run --rm --add-host=host.docker.internal:host-gateway alpine/nikto -h http://host.docker.internal:9090

Test Results

Metric Unprotected ModSecurity CRS Custom WAF
Block Rate 0% (0/33) 90.9% (30/33) 100% (33/33)
False Positives 0/10 0/10 0/10
Nikto Issues 7 7 2

Project Structure

WAF/
├── README.md
├── WAF Project.pdf              # Project requirements
├── WAF_Final_Report_v2.docx     # Final analysis report
├── Screenshots/                 # Proof of concept screenshots
│   ├── database data leaked.png
│   ├── SQLi_blocked.png
│   ├── XSS_Attack_blocked.png
│   ├── SQLi_blocker_customWAF.png
│   ├── XSS_Attack_blocked_customWAF.png
│   ├── XSS_Proof.png
│   └── XSS.png
└── Code-files/
    ├── waf.py                   # Custom WAF source code
    ├── docker-compose.yml       # DVWA + ModSecurity setup
    ├── test_&_analysis.py       # Phase 4 comparison test suite
    └── waf_blocked.log          # WAF attack logs

Stopping

# Stop Custom WAF
Ctrl+C in the WAF terminal

# Stop Docker containers
cd Code-files
docker compose down

About

Comparative analysis of WAF approaches (Unprotected vs. ModSecurity CRS vs. Custom Python WAF) protecting DVWA — with automated attack testing across SQL Injection, XSS, Command Injection, and more.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages