Skip to content

Light WAF v0.1.0

Choose a tag to compare

@0x00spor3 0x00spor3 released this 28 Jun 20:12

Light WAF v0.1.0 — First public release

A fast, modular Layer-7 Web Application Firewall written in Rust, operating as a
reverse proxy: it inspects every HTTP request, accumulates a CRS-style anomaly score,
and decides Allow / Block (403) / Reject (400 | 429) before forwarding to the backend.

This is the first release published to crates.io.

Highlights

Detection

  • Injection & evasion: SQLi, XSS, LFI/RFI, SSRF, RCE/Cmd-injection (incl. URL path,
    expression-language, VBScript/ASP webshell), MSSQL OS-exec procedures (xp_cmdshell…),
    LDAP, NoSQL, Mail (SMTP/IMAP), SSTI, SSI, XXE.
  • Scanner / tool fingerprinting on User-Agent (sqlmap, nuclei, OpenVAS, ffuf…) + OOB domains.
  • Path traversal, CRLF/header injection (field-aware), request smuggling (CL/TE) → 400.
  • GraphQL (structural): depth / alias / field / directive / batch caps → 400, introspection → 403.
  • gRPC (structural): protobuf de-framing into the content modules + message-size / field-count /
    nesting-depth caps and compressed-payload policy → 400 (HTTP/2, h2c with trailer relay).
  • Rate limiting L7 (token bucket per resolved client IP).

Anti-evasion normalization

Double-encoding-aware percent-decode, NFKC, pipeline-wide overlong-collapse, and a multi-transform
derived channel (decode-then-match-then-discard): base64, HTML-entity decode, mid-token
tag/control-strip, VBScript-concat de-obfuscation — also composed over base64 variants.

Transport & operability

  • TLS termination (rustls, cert-from-file): one port serves HTTP/1.1 and HTTP/2 via ALPN;
    fail-closed, no cleartext downgrade ([tls], opt-in).
  • External TOML config with semantic validation, per-scenario fail-open/closed ([resilience]),
    hot reload via SIGHUP (validate-then-swap, Unix), trusted-proxy client-IP resolution.
  • Configurable cumulative scoring, paranoia levels (PL1–4), structured JSON logging, and a
    fast-path that skips inspection on provably benign traffic (equivalence-tested).

Extensibility & observability (all OPEN, all default-off)

  • WASM plugins — a Proxy-Wasm runtime on wasmi loads
    .wasm filters as detection modules without forking the core (instance pool, fuel/memory DoS
    caps, fail-closed). See examples/wasm-plugin/.
  • OWASP CRS / ModSecurity import — a seclang parser + subset evaluator runs imported
    SecRule files as a module, with a boot skip-report for unsupported directives.
  • Prometheus metrics — opt-in /metrics export on a separate loopback listener.

Quality & validation

  • Detection is frozen and measured by a versioned corpus: 260 cases, 100% detection-recall
    on tracked-malicious cases and 0% false positives at PL3 (documented ExpectedMiss aside).
  • 9 custom parsers fuzzed (cargo-fuzz/ASan) + always-on cross-platform proptest invariants;
    ReDoS impossible by construction (linear-time regex, no backtracking).
  • Isolated inspection latency ~2 µs worst-case PL3 (p99 ~3.1 µs) — well under the < 1 ms contract.

Install

# the binary (command: `waf`)
cargo install waf-proxy

# or use the core as a library (open-core, no fork — embed via Proxy::builder + seams)
cargo add waf-core

Run with one of the example profiles:

waf --config examples/balanced.toml

Published crates

Crate Role
waf-core Base types, WafModule/Decision, StateStore seam
waf-normalizer Decode + NFKC + parsing + limits
waf-pipeline Phased orchestrator + anomaly scoring
waf-detection Detection modules + fast-path prefilter
waf-wasm Proxy-Wasm runtime (wasmi)
waf-proxy The binary (waf) + embeddable lib

License

Open source under Apache-2.0. The open-source vs. enterprise boundary is documented
normatively in BOUNDARY.md.