No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
shockfish
tests
.gitignore
LICENSE.md
Makefile
README.md
requirements.txt
setup.cfg
setup.py

README.md

Shockfish

Shockfish is a classic experimental Python-based web application firewall (WAF).

Its main goals are to demonstrate common application security methods and algorithms implemented in WAFs, help web developers and security engineers better understand the processes of web applications firewalling, and illustrate some fundomental problems of this technology.

Shockfish is created for demonstration purposes only and must not be used in production.

Installation

git clone https://github.com/PositiveTechnologies/shockfish.git
cd shockfish
python3 setup.py install

Deployment

Shockfish config file is located at /etc/shockfish/shockfish.json by default.

The following config lets you protect a www.example.com web-application, which has 192.168.2.2 IP-address.

  1. Specify a protected web-server:
{
   "backend": {
       "host": "192.168.2.2",
       "port": 80
   },
   ...
}
  1. Specify a virtual server interface and port:
{
   "virtual": {
       "interface": "192.168.1.2",
       "port": 80
   },
   ...
}
  1. Add the following record to /etc/hosts or configure DNS server:
192.168.1.2 www.example.com
  1. Run the following command:
sudo python3 -m shockfish

Description

Core

Shockfish core is based on the Twisted framework.

Restrictions:

  1. It supports only a reverse proxy mode.
  2. It does not support URL rewriting, so you should run shockfish on the same port as a protected web-application.

Protectors

Shockfish implements classic protection mechanisms (protectors) against the following attacks:

  • Reflected Cross-Site Scripting (XSS)
  • DOM-based XSS
  • CRLF injection
  • SQL injection
  • SSRF
  • LDAP injection

Protection against DOM-based XSS is performed on a client-side using shockfish.js JavaScript module. All detected DOM-based XSS are blocked and logged into the browser console.

Attacks

Shockfish has some weaknesses and vulnerabilities in normalization, parsing and protectors. That is why it is vulnerable to the following classic attacks:

  • HPP
  • HPC
  • parsing differentials

References

English

  1. Waf.js: How to Protect Web Applications using JavaScript.
  2. Waf.js: How to Protect Web Applications using JavaScript (video).

Russian

  1. Who said WAF? (video)
  2. Who said WAF?
  3. Web Application Security Methods and Algorithms.
  4. Waf.js: How to Protect Web Applications using JavaScript (video)
  5. Waf.js: How to Protect Web Applications using JavaScript.