Shockfish is a classic experimental Python-based web application firewall (WAF).
Its main goals are to demonstrate common application security methods and algorithms implemented in WAFs, help web developers and security engineers better understand the processes of web applications firewalling, and illustrate some fundomental problems of this technology.
Shockfish is created for demonstration purposes only and must not be used in production.
git clone https://github.com/PositiveTechnologies/shockfish.git
cd shockfish
python3 setup.py install
Shockfish config file is located at /etc/shockfish/shockfish.json by default.
The following config lets you protect a www.example.com web-application, which has 192.168.2.2 IP-address.
- Specify a protected web-server:
{
"backend": {
"host": "192.168.2.2",
"port": 80
},
...
}
- Specify a virtual server interface and port:
{
"virtual": {
"interface": "192.168.1.2",
"port": 80
},
...
}
- Add the following record to
/etc/hostsor configure DNS server:
192.168.1.2 www.example.com
- Run the following command:
sudo python3 -m shockfish
Shockfish core is based on the Twisted framework.
Restrictions:
- It supports only a
reverse proxymode. - It does not support URL rewriting, so you should run
shockfishon the same port as a protected web-application.
Shockfish implements classic protection mechanisms (protectors) against the following attacks:
- Reflected Cross-Site Scripting (XSS)
- DOM-based XSS
- CRLF injection
- SQL injection
- SSRF
- LDAP injection
Protection against DOM-based XSS is performed on a client-side using shockfish.js JavaScript module. All detected DOM-based XSS are blocked and logged into the browser console.
Shockfish has some weaknesses and vulnerabilities in normalization, parsing and protectors. That is why it is vulnerable to the following classic attacks:
- HPP
- HPC
- parsing differentials