In [92]:
import joblib
import base64

In [97]:
class WafDetector:
    def __init__(self):
        self.predictor = joblib.load('./request_predictor.joblib')

    def try_decode_per_field(self, payload: str) -> str:
        fields = payload.split('&')
        decoded_fields = []
        
        for field in fields:
            try:
                if '=' in field:
                    key, value = field.split('=', 1)
                else:
                    key, value = field, ''
                
                current_value = value
                while True:
                    decoded_value = base64.b64decode(current_value).decode('utf-8')
                    current_value = decoded_value
                
            except (base64.binascii.Error, UnicodeDecodeError):
                decoded_fields.append(f"{key}={current_value}" if value else key)
        
        return '&'.join(decoded_fields)

    def parse_payload(self, payload):
        if isinstance(payload, str):
            return [payload]
        elif isinstance(payload, list):
            return payload
        else:
            raise ValueError("Payload must be a string or a list of strings.")

    def predict(self, payload):
        results_payload = []

        if isinstance(payload, str):
            payload = [payload]
        
        for entry in payload:
            decoded_entry = self.try_decode_per_field(entry)
            results_payload.append(decoded_entry)
        print(results_payload)
        parsed_payload = self.parse_payload(results_payload)
        return self.predictor.predict(parsed_payload)

In [98]:
waf = WafDetector()

In [106]:
payloads = [
    # SQL Injection
    "username=admin' OR '1'='1&password=pass&submit=true",
    "username=kiannaquines&password=password@1234&is_admin=true&submit=true' OR '1' = '1 --",
    "username=admin' OR '1'='1' -- &password=pass&submit=true",
    "username=admin' UNION SELECT null, username, password FROM users -- &password=pass&submit=true",
    "username=admin' AND 1=CONVERT(int, (SELECT @@version)) -- &password=pass&submit=true",
    "username=admin' AND (SELECT COUNT(*) FROM users) > 0 -- &password=pass&submit=true",

    # XSS
    "username=kiannaquines&password=<script>alert('XSS')</script>&submit=true",
    "username=test&password=<svg/onload=alert('XSS')>&submit=true",
    "username=attacker&password=\" onmouseover=alert('XSS')&submit=true",
    "username=<img src=x onerror=alert('XSS')>&password=test&submit=true",

    # Command Injection
    "username=kiannaquines&password=password@1234567890&is_admin=true&submit=true; rm -rf /",
    "username=root&password=password&submit=true; ls -la",
    "username=admin&password=pass&submit=true; cat /etc/passwd",
    "username=test&password=1234 | whoami&submit=true",
    "username=guest&password=abcd; echo hacked > /tmp/hack.txt&submit=true",

    # No Attack (Control Cases)
    "username=kiannaquines&password=password@0987689&is_admin=false&submit=true",
    "username=johndoe&password=securepassword123&submit=true",
    "username=alice&password=alice123&is_admin=false&submit=true",
    
    # Base64 Encoded (Valid)
    "username=alice&password=alice123&is_admin=false&submit=VkZaU1drMUZNVlZYYlRGaFVqRnNNRlJXWkZwTmF6VTFUVVJDVDJGcmEzbFVSbVJIWVRBMVZWUllVbUZpVmxZMFZHdFNRbVZyTlhGWGJXeFFVakZhY0E9PQ==",
    "username=alice&password=YWxpY2U6MTIzNDU2Nzg5&submit=true",

    # Path Traversal
    "username=admin&password=admin&submit=true&file=../../../../etc/passwd",
    "username=user&password=pass&file=../../../../../../../windows/system32/cmd.exe",
    "img_path=../../../../../../etc/passwd",

    # Valid Path
    "image_path=/images/profile.png",
    "image_path=/images/profile.png",
    "image_path=/assets/logo.svg",
    "image_path=/uploads/user123/avatar.jpg",    
    "api_path=/api/v1/users",
    "api_path=/api/v1/users/123",
    "api_path=/api/v1/posts?limit=10&page=2",
    "api_path=/api/v1/auth/login",    
    "page_path=/home",
    "page_path=/about",
    "page_path=/contact",
    "page_path=/dashboard",
    "action_path=/user/settings",
    "action_path=/user/profile",
    "action_path=/user/notifications",
    "action_path=/user/logout",
    "product_path=/products/item123",
    "product_path=/shop/categories/electronics",
    "cart_path=/cart/checkout",
    "order_path=/orders/98765",
    "blog_path=/blog/how-to-secure-your-app",
    "blog_path=/news/latest-updates",
    "docs_path=/docs/getting-started",
    "help_path=/help/faqs",
    "admin_path=/admin/dashboard",
    "admin_path=/admin/users",
    "admin_path=/admin/settings",
    "search_path=/search?q=nextjs+authentication",
    "filter_path=/products?category=shoes&price_range=50-100",
    "/api/users",             
    "/api/users/123",            
    "/api/users/123/profile",   
    "/api/users/123/settings",   
    "/api/auth/login",          
    "/api/auth/register",        
    "/api/auth/logout",         
    "/api/auth/refresh-token",   
    "/api/products",              
    "/api/products/456",          
    "/api/products/categories",   
    "/api/products?category=electronics&sort=price_desc",  
    "/api/cart",                  
    "/api/cart/add",              
    "/api/cart/remove",           
    "/api/orders",                
    "/api/orders/789",            
    "/api/orders/789/status",     
    "/api/blog",                
    "/api/blog/555",             
    "/api/blog/categories",     
    "/api/blog/author/123",     
    "/api/admin/dashboard",      
    "/api/admin/users",         
    "/api/admin/orders",         
    "/api/admin/products",      
    "/api/search?q=laptop",     
    "/api/search/users?q=johndoe", 
    "/api/search/products?q=smartphone",  
    "/api/notifications",       
    "/api/settings",            
    "/api/version",              
    "/api/status",            
]

result = waf.predict(payloads)

["username=admin' OR '1'='1&password=pass&submit=true", "username=kiannaquines&password=password@1234&is_admin=true&submit=true' OR '1' = '1 --", "username=admin' OR '1'='1' -- &password=pass&submit=true", "username=admin' UNION SELECT null, username, password FROM users -- &password=pass&submit=true", "username=admin' AND 1=CONVERT(int, (SELECT @@version)) -- &password=pass&submit=true", "username=admin' AND (SELECT COUNT(*) FROM users) > 0 -- &password=pass&submit=true", "username=kiannaquines&password=<script>alert('XSS')</script>&submit=true", "username=test&password=<svg/onload=alert('XSS')>&submit=true", 'username=attacker&password=" onmouseover=alert(\'XSS\')&submit=true', "username=<img src=x onerror=alert('XSS')>&password=test&submit=true", 'username=kiannaquines&password=password@1234567890&is_admin=true&submit=true; rm -rf /', 'username=root&password=password&submit=true; ls -la', 'username=admin&password=pass&submit=true; cat /etc/passwd', 'username=test&password=1234 | who

In [107]:
print("Prediction:", result)

Prediction: ['sqli' 'sqli' 'sqli' 'sqli' 'sqli' 'sqli' 'xss' 'xss' 'xss' 'xss' 'cmdi'
 'valid' 'cmdi' 'valid' 'cmdi' 'valid' 'valid' 'valid' 'valid' 'valid'
 'path-traversal' 'path-traversal' 'path-traversal' 'valid' 'valid'
 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid'
 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid'
 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid' 'valid']
