Skip to content

drdre4664/WAF_Application_Security_Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
docs
docs
 
 
nginx
nginx
 
 
sample-attacks
sample-attacks
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

WAF & Application Security Lab

Overview

A production-grade Web Application Firewall (WAF) implementation demonstrating enterprise application security controls. Covers OWASP Top 10 detection and blocking, custom WAF rule development, TLS/mTLS configuration, and security testing — aligned to financial industry standards used at organizations like Wells Fargo.

Architecture

Internet
    │
    ▼
┌─────────────────────────────────────────────┐
│           WAF Layer (Nginx + ModSecurity)    │
│                                              │
│  ┌─────────────────────────────────────┐    │
│  │         WAF Rule Engine              │    │
│  │  - OWASP Core Rule Set (CRS)         │    │
│  │  - Custom financial security rules   │    │
│  │  - Rate limiting                     │    │
│  │  - Geo-blocking                      │    │
│  └─────────────────────────────────────┘    │
└─────────────────────────────────────────────┘
    │
    ▼
┌─────────────────┐
│  Backend App    │
│  (Protected)    │
└─────────────────┘

OWASP Top 10 Controls Implemented

# Vulnerability WAF Control
A01 Broken Access Control Path traversal detection, auth header validation
A02 Cryptographic Failures TLS 1.2+ enforcement, weak cipher blocking
A03 Injection (SQLi, XSS) Input sanitization rules, pattern matching
A04 Insecure Design Security headers, CSP policy
A05 Security Misconfiguration Server token hiding, error page customization
A06 Vulnerable Components Version header removal
A07 Auth & Session Failures Session token validation, brute force protection
A08 Integrity Failures Request signature validation
A09 Logging & Monitoring Structured JSON logging, alert thresholds
A10 SSRF Internal IP range blocking

Repository Structure

waf-appsec-lab/
├── docker-compose.yml          # WAF + backend app stack
├── nginx/
│   ├── nginx.conf              # Main Nginx WAF config
│   ├── waf-rules.conf          # Custom WAF security rules
│   └── tls.conf                # TLS/mTLS configuration
├── src/
│   ├── waf_tester.py           # Automated WAF rule testing
│   └── attack_simulator.py     # OWASP Top 10 attack simulation
├── sample-attacks/
│   ├── sqli-payloads.txt       # SQL injection test payloads
│   ├── xss-payloads.txt        # XSS test payloads
│   └── path-traversal.txt      # Path traversal payloads
└── docs/
    ├── waf-rules-explained.md  # WAF rule documentation
    └── owasp-top10.md          # OWASP Top 10 reference

Skills Demonstrated

  • WAF configuration and rule development (Nginx)
  • OWASP Top 10 detection and mitigation
  • TLS/mTLS certificate configuration
  • Security headers implementation
  • Rate limiting and DDoS protection
  • Structured security logging
  • Automated WAF testing
  • Attack pattern recognition (SQLi, XSS, SSRF, path traversal)

About

Nginx Web Application Firewall detecting OWASP Top 10 (SQLi, XSS, SSRF, path traversal) with regex signatures, security headers, rate limiting, and a Python attack simulator.

Topics

nginx regex waf application-security appsec owasp-top-10

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages