Monday, February 26, 2018

Longjing - Machine Learning Driven Web Application Firewall

Longjing is Chinese green tea with a lot of antioxiants. It is good for health. Longjing Web Application Firewall (WAF) is machine learning driven and it is designed to protect the web application from being attacked by SQL injection.

Longjing WAF is written in Python and It is not designed for the high performance in mind. Only Linux is supported.

Longjing WAF can protect your web application from being scanned by Burp Suite, SQLMap, OWASP ZAP, XSSER and Commix even your web application has SQL injection vulnerability. Meanwhile, reflected Cross Site Scripting (XSS) can be detected too.

SQL injection is on the top position of the OWASP Top 10 2017 which can lead to data leakage and/or system compromised. It is a critical vulnerability.

Longjing WAF is a PARTIALLY Open Source Project under GPLv3 License by Samiux. Training and Modelling are NOT open sourced. Demo may be provided when necessary.

The training requires about 3 hours on Intel i7-5500U with 16GB RAM. The accuracy rate is over 99%. The Longjing requires about 3GB RAM to run.

Requirement

- Ubuntu Linux Server 16.04.4 LTS
- Anaconda3
- mitmproxy
- web server
- web application
- SSD is recommended
- at least 8GB RAM

Installation

(A) Install Anaconda

sudo apt install build-essential libssl-dev libffi-dev python3-dev

wget https://repo.continuum.io/archive/Anaconda3-5.1.0-Linux-x86_64.sh

chmod +x Anaconda3-5.1.0-Linux-x86_64.sh

sudo -sH

./Anaconda3-5.1.0-Linux-x86_64.sh

install anaconda3 to /etc/anaconda3 and then answer "yes" to allow change the .bashrc of root.

source /root/.bashrc

(B) Update Anaconda

sudo -sH
conda update --prefix /etc/anaconda3 anaconda
conda update -n base conda


(B) Install mitmproxy

sudo -sH
conda install pip
pip install mitmproxy


The current version of mitmproxy at this writing is 3.0.3.

Exit to normal user by entering exit.

(C) Update mitmproxy

sudo -sH
cd /etc/anaconda3
pip install mitmproxy --upgrade


(D) Install Longjing

wget https://www.infosec-ninjas.com/files/longjing-0.8.0.tar.gz
tar -xvzf longjing-0.8.0.tar.gz

cd longjing

nano config.conf


where :
- NET_INF is the network interface of the mitmproxy to be listening
- PORT is port number of the mitmproxy to be listening, e.g. 8080
- CERT is the location path of the private key TLS/SSL certificate of the domain when available. It should be starting with --certs.

Please read mitmproxy "about certificate" documents for details - Using a custom certificate.

sudo ./install.sh

Finally, make sure to copy index.html to the web application root directory.

(D) Running

sudo systemctl restart longjing.service

(E) Testing with Tools

Longjing is well tested on Damn Vulnerable Web Application (DVWA) with the following tools :

- Burp Suite on DVWA (sqli and xss blocked except DOM)
- sqlmap on DVWA (tamper also blocked)
- OWASP ZAP on DVWA (sqli and xss blocked)
- xsser on DVWA (xss blocked)
- Commix on DVWA (blocked and Commix will hang in the middle)

That's all! See you.