In this user case study, a security enthusiast demonstrates how SafeLine WAF, a self-hosted Web Application Firewall, can protect vulnerable web applications in a homelab environment. Using a bridged network setup with a Kali Linux attacker machine and an Ubuntu server running WebGoat, the study highlights SafeLine’s real-time protection against common web attacks like XSS, SQL Injection, and HTTP Flood.
The study also covers how to configure custom WAF rules, showing the practical benefits of hands-on firewall management for small labs and home setups.
What is a Web Application Firewall (WAF)?
A WAF monitors and filters HTTP/S traffic between web applications and the Internet. It protects applications from attacks such as:
- Cross-site scripting (XSS)
- SQL Injection (SQLi)
- Remote code execution (RCE)
- HTTP floods and DoS attempts
- Path traversal
- Malicious bots and scraping
Unlike a proxy server, which hides client identity, a WAF acts as a reverse proxy, inspecting incoming requests before they reach the server.
Lab Environment Overview
The lab simulates a realistic internal network:
-
Attacker Machine: Kali Linux, IP
192.168.4.61 -
Target Machine: Ubuntu Server, IP
192.168.4.59 - Applications: SafeLine WAF + WebGoat (vulnerable web app)
All traffic from the attacker passes through SafeLine, allowing users to observe how the WAF inspects, blocks, and logs malicious activity.
Deploying SafeLine WAF
The study uses automatic deployment on Ubuntu for simplicity:
sudo bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/manager.sh)" -- --en
This command:
- Downloads the latest SafeLine Manager script
- Installs all dependencies
- Sets the interface language to English
- Initializes the WAF environment automatically
After deployment, SafeLine provides an interactive setup, creates an admin account, and displays the login credentials for the management dashboard.
Adding WebGoat to SafeLine
To protect WebGoat, a hostname entry is created for cleaner traffic routing:
/etc/hosts -> test-webgoat 192.168.4.59
After registration on WebGoat, the app is added to SafeLine through the dashboard:
- Domain: test-webgoat
- Port: 8003 (for WAF access)
- Mode: Reverse proxy
- Upstream: WebGoat server IP and port
- Application Name: WebGoat
SafeLine immediately begins inspecting all incoming traffic, generating logs and alerts.
Attack Simulations
XSS (Cross-Site Scripting)
Payload injected into WebGoat:
<script>alert("XSS Test")</script>
SafeLine blocked the malicious request and displayed:
Access Forbidden - Blocked For Attack Detected
The dashboard logged:
- IP Address: 192.168.4.61
- Module: XSS
-
Payload:
<script>alert("XSS Test")</script> - Action: Deny
SQL Injection
Classic SQLi payload submitted:
' OR '1'='1
SafeLine intercepted the request before reaching WebGoat, effectively preventing unauthorized access. Logs clearly indicate the SQL Injection attempt and enforcement action.
HTTP Flood Protection
Rate-limiting rules were configured:
- Threshold: 3 requests per 10 seconds
- Action: Block for 1 minute
Exceeding the threshold triggered immediate blocking, confirming effective mitigation of DoS-style attacks.
Custom IP Blocking
A custom deny rule blocked all traffic from the attacker IP 192.168.4.61. Any requests matching this rule were instantly denied, demonstrating SafeLine’s flexibility in creating tailored security policies.
Monitoring Activity
SafeLine provides real-time dashboards:
- Total requests, page views, unique IPs
- Blocked requests and rate
- Detailed logs of XSS, SQLi, and HTTP Flood events
This allows home lab users to continuously monitor and verify the effectiveness of security policies.
Conclusion
Through this hands-on case study, SafeLine WAF proved to be an effective, self-hosted solution for protecting vulnerable web applications:
- Detected and blocked XSS, SQL Injection, and HTTP Flood attacks
- Allowed custom rule creation for specific threat scenarios
- Offered real-time monitoring and detailed logs
For homelab enthusiasts or small organizations, SafeLine offers an accessible, highly effective WAF that balances usability, control, and security.
Resources:
Top comments (0)