Security researchers, bug bounty hunters, and red/blue teamers often need to capture exploit attempts and 0‑day POCs hitting their websites. One effective method is to deploy a lightweight fingerprint web service, place it behind a WAF, and then observe the attack logs.
This guide walks you through how to:
- Build a simple Flask fingerprint website
- Run it in the background
- Deploy SafeLine WAF
- Capture attack traffic and extract POCs from WAF logs
1. Building a Flask Fingerprint Website
First, we deploy a small Flask app that returns fingerprint information from a JSON file (finger.json). This can contain tech stack metadata, simulated product fingerprints, mock banners, or custom identifiers — useful for attracting automated exploit scanners.
app.py
from flask import Flask, jsonify
import os
import json
template_dir = os.path.abspath('/opt/www')
app = Flask(__name__, template_folder=template_dir)
@app.route('/')
def index():
json_file_path = os.path.join(template_dir, 'finger.json')
try:
with open(json_file_path, 'r', encoding='utf-8') as f:
data = json.load(f)
return jsonify(data)
except FileNotFoundError:
return jsonify({"error": "finger.json file not found"}), 404
except json.JSONDecodeError:
return jsonify({"error": "Invalid JSON format"}), 500
if __name__ == '__main__':
app.run(debug=False, host='127.0.0.1', port=5000)
finger.json
This is fully customizable — add any fingerprints you want attackers to see.
Example:
{
"product": "ExampleWeb 1.0",
"build": "2025-01-03",
"signature": "example-fingerprint"
}
2. Running Flask in the Background
Start the app with nohup to keep it running even after logout:
nohup python3 /var/www/app.py > /var/www/flask_app.log 2>&1 &
Stop the Flask service
ps aux | grep "python3 /var/www/app.py" | grep -v grep | awk '{print $2}' | xargs kill -9
At this point, our fingerprint site is running locally on 127.0.0.1:5000.
3. Installing SafeLine WAF
SafeLine WAF is lightweight, fast, open source, and particularly good for capturing exploit attempts because it logs payloads clearly.
Official site:
https://ly.safepoint.cloud/ShZAy9x
One‑line installation (3 minutes)
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/manager.sh)"
After installation, you can access the SafeLine web console to configure protected sites, view logs, and enable advanced protections.
4. Adding and Protecting the Flask Application
In the SafeLine console:
- Go to Application Management
- Add your domain / server IP
- Point the reverse proxy to your Flask service (
127.0.0.1:5000) - Enable protection rules
SafeLine will now sit in front of the Flask app, filtering and logging all requests.
5. Capturing 0‑Day POCs from WAF Logs
This is where the magic happens.
Once attackers, scanners, or exploit frameworks hit the fingerprint page, SafeLine will:
- Inspect all incoming requests
- Detect malicious patterns
-
Log detailed payloads, including:
- RCE attempts
- SQL injection payloads
- Path traversal
- Deserialization attacks
- SSRF
- API fuzzing vectors
- 0‑day exploitation attempts
Viewing attack logs
Navigate to:
Attack Protection → Attack Logs
Each entry includes:
- Request path
- Headers
- Payload details
- Source IP
- Matched rule
- Raw malicious request (this often includes the POC)
SafeLine becomes an automated collector for:
- Exploit scanners
- Mass exploitation campaigns
- Early‑stage 0‑day probes
- Honeypot intelligence
- Real‑world malicious traffic telemetry
6. Why This Setup Works So Well
✔ Fingerprint sites attract attackers
Many scanners and exploit kits are fingerprint‑driven. They fire payloads automatically when they detect matching signatures.
✔ SafeLine logs complete malicious payloads
Unlike some WAFs that only return redacted logs, SafeLine provides full request bodies, making it ideal for research.
✔ Easy to deploy on any VPS
Good for labs, educational purposes, and real‑world traffic monitoring.
Top comments (0)