The latest articles on DEV Community by mrtc0 (@mrtc0). https://dev.to/mrtc0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F43274%2Fa79a06a0-ed81-4d96-9a98-fa7e4211b78f.jpg https://dev.to/mrtc0 en mrtc0 Sun, 05 Jan 2025 11:20:00 +0000 https://dev.to/mrtc0/introduction-to-waffle-in-app-waf-for-go-applications-90d https://dev.to/mrtc0/introduction-to-waffle-in-app-waf-for-go-applications-90d <h1> Introduction </h1> <p>Web Application Firewalls (WAF) have long been a standard security solution for protecting web applications. Cloud-based WAFs like AWS WAF and Cloudflare WAF are particularly popular due to their ease of implementation. However, they come with several challenges:</p> <ul> <li>Limited understanding of application context</li> <li>High rate of false positives</li> <li>Restricted custom logic implementation</li> </ul> <p>To address these challenges, a new approach called In-app WAF or RASP (Runtime Application Self-Protection) has been gaining attention.</p> <p>In this post, I'll introduce <a href="https://sitebatch.github.io/waffle-website" rel="noopener noreferrer">Waffle</a>, a library for integrating In-app WAF capabilities into Go web applications.</p> <ul> <li><a href="https://sitebatch.github.io/waffle-website" rel="noopener noreferrer">https://sitebatch.github.io/waffle-website</a></li> <li><a href="https://github.com/sitebatch/waffle-go" rel="noopener noreferrer">https://github.com/sitebatch/waffle-go</a></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fncy849oj8xhn0ks8vkm0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fncy849oj8xhn0ks8vkm0.png" alt="Waffle Document Page" width="800" height="690"></a></p> <h1> What is In-app WAF / RASP? </h1> <p>In-app WAF/RASP is not meant to replace existing cloud WAFs but rather to complement them by embedding WAF functionality directly into your application for enhanced protection.<br> It can handle common web application attacks like SQL injection and XSS, as well as application business logic attacks such as credential stuffing and brute force attempts.</p> <p>The key advantage is accurate detection and prevention through complete request context awareness.</p> <p>Consider this HTTP request for creating a blog post:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /blog/post HTTP/1.1 ... { "title": "What is SQL ?" "body": "SQL example code: `SELECT * FROM users` ..." } </code></pre> </div> <p>If your application uses placeholders to safely construct SQL statements, SQL injection isn't possible. However, cloud-based WAFs that rely on pattern matching would block this request because it contains suspicious SQL-like patterns (the string <code>SELECT * FROM</code> raises SQL injection concerns).</p> <p>Developers often find themselves tediously adjusting parameters, endpoints, or WAF rules to reduce these false positives. What a cumbersome task!</p> <p>In contrast, In-app WAF / RASP understands the request context. It recognizes when placeholders aren't being used and only blocks attacks when "SQL injection is actually possible." This context-aware approach results in fewer false positives and can even help mitigate zero-day vulnerabilities.</p> <h1> Implementing In-App WAF / RASP with Waffle in Go Applications </h1> <p><a href="https://sitebatch.github.io/waffle-website" rel="noopener noreferrer">Waffle</a> is a library that enables In-App WAF / RASP functionality in Go web applications.</p> <p>Let's see how to integrate Waffle into your application and how it prevents attacks.</p> <h2> Example Application </h2> <p>While this example uses the standard library's <code>net/http</code>, Waffle also supports other libraries like Gin and GORM.<br> For more details, check out the <a href="https://sitebatch.github.io/waffle-website/guides/support-libraries" rel="noopener noreferrer">Supported Libraries</a> documentation.</p> <p>The following application has a SQL injection vulnerability in the <code>/login</code> endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"database/sql"</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="n">_</span> <span class="s">"github.com/mattn/go-sqlite3"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">database</span> <span class="o">*</span><span class="n">sql</span><span class="o">.</span><span class="n">DB</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">setupDB</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">newHTTPHandler</span><span class="p">()</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="n">mux</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewServeMux</span><span class="p">()</span> <span class="n">mux</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/login"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="n">loginController</span><span class="p">))</span> <span class="k">return</span> <span class="n">mux</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">srv</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Server</span><span class="p">{</span> <span class="n">Addr</span><span class="o">:</span> <span class="s">":8000"</span><span class="p">,</span> <span class="n">Handler</span><span class="o">:</span> <span class="n">newHTTPHandler</span><span class="p">(),</span> <span class="p">}</span> <span class="n">srv</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">loginController</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">email</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">FormValue</span><span class="p">(</span><span class="s">"email"</span><span class="p">)</span> <span class="n">password</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">FormValue</span><span class="p">(</span><span class="s">"password"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">login</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">"Login success"</span><span class="p">))</span> <span class="p">}</span> <span class="k">func</span> <span class="n">login</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// ⚠️ SQL INJECTION VULNERABILITY</span> <span class="n">rows</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">database</span><span class="o">.</span><span class="n">QueryContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"SELECT * FROM users WHERE email = '%s' AND password = '%s'"</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">rows</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">if</span> <span class="o">!</span><span class="n">rows</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid email or password"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// do something</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">setupDB</span><span class="p">()</span> <span class="p">{</span> <span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">sql</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"sqlite3"</span><span class="p">,</span> <span class="s">"file::memory:?cache=shared"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="s">"CREATE TABLE users(id int, email text, password text);"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="s">"INSERT INTO users(id, email, password) VALUES(1, 'user@example.com', 'password');"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">database</span> <span class="o">=</span> <span class="n">db</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>go run <span class="nb">.</span> <span class="c"># SQL injection attack</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-X</span> POST <span class="s1">'http://localhost:8000/login'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"email=user@example.com' OR 1=1--&amp;password="</span> HTTP/1.1 200 OK Date: Sun, 05 Jan 2025 10:32:50 GMT Content-Length: 13 Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 Login success </code></pre> </div> <h2> Integrating Waffle to prevent SQL injection </h2> <p>Let's integrate Waffle to prevent SQL injection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>go get github.com/sitebatch/waffle-go </code></pre> </div> <p>Modify <code>main.go</code> as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"database/sql"</span> <span class="s">"errors"</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="s">"github.com/sitebatch/waffle-go"</span> <span class="s">"github.com/sitebatch/waffle-go/action"</span> <span class="n">waffleSQL</span> <span class="s">"github.com/sitebatch/waffle-go/contrib/database/sql"</span> <span class="n">waffleHTTP</span> <span class="s">"github.com/sitebatch/waffle-go/contrib/net/http"</span> <span class="n">_</span> <span class="s">"github.com/mattn/go-sqlite3"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">database</span> <span class="o">*</span><span class="n">sql</span><span class="o">.</span><span class="n">DB</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">setupDB</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">newHTTPHandler</span><span class="p">()</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="n">mux</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">NewServeMux</span><span class="p">()</span> <span class="n">mux</span><span class="o">.</span><span class="n">Handle</span><span class="p">(</span><span class="s">"/login"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="n">loginController</span><span class="p">))</span> <span class="n">handler</span> <span class="o">:=</span> <span class="n">waffleHTTP</span><span class="o">.</span><span class="n">WafMiddleware</span><span class="p">(</span><span class="n">mux</span><span class="p">)</span> <span class="k">return</span> <span class="n">handler</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">srv</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">http</span><span class="o">.</span><span class="n">Server</span><span class="p">{</span> <span class="n">Addr</span><span class="o">:</span> <span class="s">":8000"</span><span class="p">,</span> <span class="n">Handler</span><span class="o">:</span> <span class="n">newHTTPHandler</span><span class="p">(),</span> <span class="p">}</span> <span class="c">// Start waffle with debug mode</span> <span class="n">waffle</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">waffle</span><span class="o">.</span><span class="n">WithDebug</span><span class="p">())</span> <span class="n">srv</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">loginController</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">email</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">FormValue</span><span class="p">(</span><span class="s">"email"</span><span class="p">)</span> <span class="n">password</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">FormValue</span><span class="p">(</span><span class="s">"password"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">login</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">var</span> <span class="n">actionErr</span> <span class="o">*</span><span class="n">action</span><span class="o">.</span><span class="n">BlockError</span> <span class="k">if</span> <span class="n">errors</span><span class="o">.</span><span class="n">As</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">actionErr</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">"Login success"</span><span class="p">))</span> <span class="p">}</span> <span class="k">func</span> <span class="n">login</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// ⚠️ SQL INJECTION VULNERABILITY</span> <span class="n">rows</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">database</span><span class="o">.</span><span class="n">QueryContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"SELECT * FROM users WHERE email = '%s' AND password = '%s'"</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">rows</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">if</span> <span class="o">!</span><span class="n">rows</span><span class="o">.</span><span class="n">Next</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid email or password"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// do something</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">setupDB</span><span class="p">()</span> <span class="p">{</span> <span class="n">db</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">waffleSQL</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"sqlite3"</span><span class="p">,</span> <span class="s">"file::memory:?cache=shared"</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="s">"CREATE TABLE users(id int, email text, password text);"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="s">"INSERT INTO users(id, email, password) VALUES(1, 'user@example.com', 'password');"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">database</span> <span class="o">=</span> <span class="n">db</span> <span class="p">}</span> </code></pre> </div> <p>The changes are minimal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gh">diff --git a/main.go b/main.go index 90b8197..9fefb06 100644 </span><span class="gd">--- a/main.go </span><span class="gi">+++ b/main.go </span><span class="p">@@ -3,9 +3,15 @@</span> package main import ( "context" "database/sql" <span class="gi">+ "errors" </span> "fmt" "net/http" <span class="err"> </span><span class="gi">+ "github.com/sitebatch/waffle-go" + "github.com/sitebatch/waffle-go/action" + waffleSQL "github.com/sitebatch/waffle-go/contrib/database/sql" + waffleHTTP "github.com/sitebatch/waffle-go/contrib/net/http" + </span> _ "github.com/mattn/go-sqlite3" ) <span class="err"> </span><span class="p">@@ -19,7 +25,9 @@</span> func newHTTPHandler() http.Handler { mux := http.NewServeMux() mux.Handle("/login", http.HandlerFunc(loginController)) <span class="err"> </span><span class="gd">- return mux </span><span class="gi">+ handler := waffleHTTP.WafMiddleware(mux) + + return handler </span> } <span class="err"> </span> func main() { <span class="p">@@ -28,6 +36,9 @@</span> func main() { Handler: newHTTPHandler(), } <span class="err"> </span><span class="gi">+ // Start waffle with debug mode + waffle.Start(waffle.WithDebug()) + </span> srv.ListenAndServe() } <span class="err"> </span><span class="p">@@ -36,6 +47,11 @@</span> func loginController(w http.ResponseWriter, r *http.Request) { password := r.FormValue("password") <span class="err"> </span> if err := login(r.Context(), email, password); err != nil { <span class="gi">+ var actionErr *action.BlockError + if errors.As(err, &amp;actionErr) { + return + } + </span> http.Error(w, err.Error(), http.StatusInternalServerError) return } <span class="p">@@ -60,7 +76,7 @@</span> func login(ctx context.Context, email, password string) error { } <span class="err"> </span> func setupDB() { <span class="gd">- db, err := sql.Open("sqlite3", "file::memory:?cache=shared") </span><span class="gi">+ db, err := waffleSQL.Open("sqlite3", "file::memory:?cache=shared") </span> if err != nil { panic(err) } </code></pre> </div> <p>Now when we try a SQL injection attack, Waffle blocks it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-X</span> POST <span class="s1">'http://localhost:8000/login'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"email=user@example.com' OR 1=1--&amp;password="</span> <span class="nt">-i</span> HTTP/1.1 403 Forbidden Date: Sun, 05 Jan 2025 10:38:22 GMT Content-Length: 1574 Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">"en"</span><span class="o">&gt;</span> &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">"UTF-8"</span><span class="o">&gt;</span> &lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">"viewport"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"width=device-width, initial-scale=1.0"</span><span class="o">&gt;</span> &lt;title&gt;Access Denied&lt;/title&gt; </code></pre> </div> <p>This HTML is the error message returned by default by waffle and looks like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvvrczycdzrd2qgt5zd9r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvvrczycdzrd2qgt5zd9r.png" width="800" height="505"></a></p> <h2> If using placeholders: </h2> <p>When using placeholders, Waffle recognizes that SQL injection isn't possible and won't block the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code># Fix SQL injection vulnerability <span class="gh">diff --git a/main.go </span><span class="p">b/main.go </span><span class="gh">index 9fefb06..5b482f2 100644 </span><span class="gd">--- a/main.go </span><span class="gi">+++ b/main.go </span><span class="p">@@ -60,7 +60,7 @@</span> func loginController(w http.ResponseWriter, r *http.Request) { } <span class="err"> </span> func login(ctx context.Context, email, password string) error { <span class="gd">- rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password)) </span><span class="gi">+ rows, err := database.QueryContext(ctx, "SELECT * FROM users WHERE email = ? AND password = ?", email, password) </span> if err != nil { return err } </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Waffle won't block the request since SQL injection isn't possible</span> <span class="nv">$ </span>curl <span class="nt">-i</span> <span class="nt">-X</span> POST <span class="s1">'http://localhost:8000/login'</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"email=user@example.com' OR 1=1--&amp;password="</span> HTTP/1.1 500 Internal Server Error Content-Type: text/plain<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 X-Content-Type-Options: nosniff Date: Sun, 05 Jan 2025 10:49:05 GMT Content-Length: 26 invalid email or password </code></pre> </div> <p>Note that even in this case, Waffle can still detect attempted SQL injection like a cloud-based WAF (though it won't block it):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># on application logs ... time=2025-01-05T19:49:05.418+09:00 level=INFO msg="[waffle] Threat detected: detected sql injection payload: SQLi detected" ruleID=sql-injection-attempts inspector=libinjection_sqli clientIP=[::1]:58614 url=http://localhost:8000/login </code></pre> </div> <h1> Attacks Detected and Prevented by Waffle </h1> <p>While we've demonstrated SQL injection prevention, Waffle can detect and prevent various attacks:</p> <ul> <li>Reconnaissance by known security scanners</li> <li>Directory traversal</li> <li>XSS</li> <li>SQL injection</li> <li>Sensitive file access</li> <li>SSRF</li> <li>Account takeover</li> </ul> <p>For more details, check out the <a href="https://sitebatch.github.io/waffle-website/rules/rules-list" rel="noopener noreferrer">Rule List</a> documentation.</p> <p>Rules are continuously updated, and contributions are welcome.</p> <h1> Conclusion </h1> <p>By integrating Waffle into your application, you can accurately detect and prevent attacks.</p> <p>For framework-specific implementation guides and detailed usage instructions, refer to the Guides section in the <a href="https://sitebatch.github.io/waffle-website" rel="noopener noreferrer">documentation</a>.</p> <p>Waffle is under active development. We welcome feedback and contributions.</p> <ul> <li><a href="https://github.com/sitebatch/waffle-go" rel="noopener noreferrer">https://github.com/sitebatch/waffle-go</a></li> </ul> go security waf tutorial mrtc0 Wed, 03 Nov 2021 15:31:45 +0000 https://dev.to/mrtc0/how-to-prevent-data-exfiltration-with-ebpf-364n https://dev.to/mrtc0/how-to-prevent-data-exfiltration-with-ebpf-364n <p>Restricting server network connections is one of the security best practices. Supply chain attacks on software and SSRF are hot topics, so there is a need to monitor and block unintended network access.</p> <p>However, traditional firewalls (such as iptables and more), are not flexible enough. For example, there are cases where you want to restrict communication only from CI or the container environment where the application is running.</p> <p>In this article, I will introduce <a href="https://github.com/mrtc0/bouheki">bouheki</a>, a tool that blocks data exfiltration by supply chain attacks and SSRF.</p> <h2> KRSI (LSM + eBPF) </h2> <p>KRSI is a mechanism to apply MAC / Audit Policy by LSM and eBPF.<br> By using this, you can control communication on a per-process basis using eBPF.<br> For example, the following BPF program can block a connection if the destination IP address is included in the denylist.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="n">SEC</span><span class="p">(</span><span class="s">"lsm/socket_connect"</span><span class="p">)</span> <span class="kt">int</span> <span class="nf">BPF_PROG</span><span class="p">(</span><span class="n">socket_connect</span><span class="p">,</span> <span class="k">struct</span> <span class="n">socket</span> <span class="o">*</span><span class="n">sock</span><span class="p">,</span> <span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="n">address</span><span class="p">,</span> <span class="kt">int</span> <span class="n">addrlen</span><span class="p">)</span> <span class="p">{</span> <span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="o">*</span><span class="n">inet_addr</span> <span class="o">=</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr_in</span><span class="o">*</span><span class="p">)</span><span class="n">address</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">bpf_map_lookup_elem</span><span class="p">(</span><span class="o">&amp;</span><span class="n">denylist</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">inet_addr</span><span class="o">-&gt;</span><span class="n">sin_addr</span><span class="p">))</span> <span class="k">return</span> <span class="o">-</span><span class="n">EPERM</span><span class="p">;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This is very exciting!</p> <p>This means that you can filter by command name, UID or GID, and whether it is a container or not.</p> <h2> bouheki </h2> <p><a href="https://github.com/mrtc0/bouheki">https://github.com/mrtc0/bouheki</a></p> <p><a href="https://github.com/mrtc0/bouheki">bouheki</a> is tool for preventing data exfiltration with KRSI. </p> <p>bouheki has the following features:</p> <ul> <li>While firewalls such as iptables apply to the entire machine, bouheki can be restricted on a per-container or per-process basis.</li> <li>bouheki does not restrict ingress, only egress.</li> </ul> <p>bouheki is configured in YAML. For example, the following configuration would apply the following policy:</p> <ul> <li>Only allow access to <code>10.0.1.1/24</code>, but block access to <code>10.0.1.71</code> </li> <li>Blocks only communication from the container, but allows communication from host. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">network</span><span class="pi">:</span> <span class="c1"># Block or monitor the network.</span> <span class="c1"># If block is specified, communication that matches the policy will be blocked.</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">block</span> <span class="c1"># Restriction to the whole host or to a container</span> <span class="c1"># If a container is specified, only the container's communication will be restricted.</span> <span class="c1"># This is determined by the value of namespace</span> <span class="na">target</span><span class="pi">:</span> <span class="s">container</span> <span class="na">cidr</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.0.1.1/24</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">10.0.1.71/32</span> </code></pre> </div> <p>Let's try this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">sudo</span> ./bouheki <span class="nt">-config</span> config/container.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Access 10.0.1.1 from the container. $ docker run --rm curlimages/curl:latest -s -I http://10.0.1.1 HTTP/1.1 301 Moved Permanently 👈 Location: https://10.0.1.1:443/ Date: Sun, 26 Sep 2021 13:21:36 GMT Server: Server # Cannot connect to 10.0.1.71 from containers $ docker run --rm curlimages/curl:latest http://10.0.1.71 curl: (7) Couldn't connect to server 👈 # The host can connect to 10.0.1.71 $ curl -I -s 10.0.1.71 HTTP/1.1 301 Moved Permanently 👈 Date: Sun, 26 Sep 2021 13:23:10 GMT Location: https://10.0.1.71/ Connection: close Content-Type: text/html Content-Length: 56 </code></pre> </div> <p>bouheki's log for then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"BLOCKED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Addr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.0.1.71"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Comm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Hostname"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdb99d181368"</span><span class="p">,</span><span class="w"> </span><span class="nl">"PID"</span><span class="p">:</span><span class="w"> </span><span class="mi">936350</span><span class="p">,</span><span class="w"> </span><span class="nl">"Port"</span><span class="p">:</span><span class="w"> </span><span class="mi">80</span><span class="p">,</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"info"</span><span class="p">,</span><span class="w"> </span><span class="nl">"msg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Traffic is trapped in the filter."</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2021-09-26T13:21:58Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>bouheki can also be filtered by command, UID, and more.</p> <p><strong>A policy that restricts <code>curl</code> connections</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">network</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">block</span> <span class="na">target</span><span class="pi">:</span> <span class="s">host</span> <span class="na">cidr</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">0.0.0.0/0</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">93.184.216.34/32</span> <span class="na">command</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">wget'</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">curl'</span> <span class="na">log</span><span class="pi">:</span> <span class="na">format</span><span class="pi">:</span> <span class="s">json</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ sudo ./bouheki -config testdata/command_deny.yml ... $ curl 93.184.216.34 curl: (7) Couldn't connect to server 👈 $ wget 93.184.216.34/index.html --2021-09-26 13:31:38-- http://93.184.216.34/index.html Connecting to 93.184.216.34:80... connected. 👈 HTTP request sent, awaiting response... 200 OK Length: 94 [text/html] Saving to: ‘index.html’ index.html 100%[==========================================================&gt;] 94 --.-KB/s in 0s 2021-09-26 13:31:39 (17.5 MB/s) - ‘index.html’ saved [94/94] </code></pre> </div> <p><strong>Policy that <code>UID 0</code> can be connected, but <code>UID 1000</code> cannot be connected</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">network</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">block</span> <span class="na">target</span><span class="pi">:</span> <span class="s">host</span> <span class="na">cidr</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">0.0.0.0/0</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">[]</span> <span class="na">uid</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">1000</span> <span class="na">log</span><span class="pi">:</span> <span class="na">format</span><span class="pi">:</span> <span class="s">json</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ curl 93.184.216.34 curl: (7) Couldn't connect to server 👈 $ sudo curl http://93.184.216.34 ... &lt;?xml version="1.0" encoding="iso-8859-1"?&gt; 👈 ... </code></pre> </div> <h2> Conclusion </h2> <p>KRSI is very exciting! Not only can you restrict the network, but you can also restrict system calls, which provides very strong security.</p> <p>bouheki is tool for preventing data exfiltration with KRSI. Feedback is welcome!</p> <h2> References </h2> <ul> <li><a href="https://www.kernel.org/doc/html/latest/bpf/bpf_lsm.html">https://www.kernel.org/doc/html/latest/bpf/bpf_lsm.html</a></li> <li><a href="https://archive.fosdem.org/2020/schedule/event/security_kernel_runtime_security_instrumentation/attachments/slides/3842/export/events/attachments/security_kernel_runtime_security_instrumentation/slides/3842/Kernel_Runtime_Security_Instrumentation.pdf">https://archive.fosdem.org/2020/schedule/event/security_kernel_runtime_security_instrumentation/attachments/slides/3842/export/events/attachments/security_kernel_runtime_security_instrumentation/slides/3842/Kernel_Runtime_Security_Instrumentation.pdf</a></li> <li><a href="https://goteleport.com/blog/preventing-data-exfiltration-with-ebpf/">https://goteleport.com/blog/preventing-data-exfiltration-with-ebpf/</a></li> <li><a href="https://kinvolk.io/blog/2021/04/extending-systemd-security-features-with-ebpf/">https://kinvolk.io/blog/2021/04/extending-systemd-security-features-with-ebpf/</a></li> </ul> ebpf security