Tuesday, March 20, 2018

Longjing - Deep Learning Driven Web Application Firewall

Longjing is Chinese green tea and full of antioxiants. It is good for health and to fight against cancer. Longjing Web Application Firewall (WAF) is deep learning driven and developed with Python 3 and Scikit-Learn library. To define it as deep learning is that it uses neural network MLP Classifier to build the model. Even it is a simple neural network MLP classifier, the accuracy rate is very high. It supports Linux system only.

Longjing WAF is mainly design to protect the web applications from being attacked by SQL Injection (SQLi) which is at the top of OWASP Top 10 in 2017. If successfully attacked, data leakage and/or system compromised will be caused. It is a critical vulnerability for web applications.

Longjing WAF is well tested on Damn Vulnerable Web Application (DVWA) with Burp Suite, SQLMap, OWASP ZAP, XSSER and Commix. Not only detects SQLi but also XSS (Cross-site Scripting). The accuracy rate is over 99% under the samples testing. It can be further tune for the false positive easily as the running code is an open source project that released under GPLv3 by Samiux. However, the training data and modelling are not open sourced.

It is not very complicate to install and deploy it. The latest version as at this writing is version 0.9.1. It works with Anaconda 3 and MitmProxy 3.0.3. Anaconda will install all required SciKit-Learn Python Libraries for you and it is also very easy to maintain. MitmProxy will act as a proxy to deal with the HTTP/HTTPS requests and responses.

Longjing is the next generation Web Application Firewall! Fetch it and try!

That's all! See you.


Longjing - Web Application Firewall

Saturday, March 03, 2018

[Full Disclosure] Vulnerable Web Sites In Hong Kong (March 2018)

Since I am not a White Hat, I will disclose all my findings fully to the public. Do not blame me for that! I am a Grey Hat.

Recently, I found out that the personal web site of the anti-government politician in Hong Kong, Claudia Mo, has been hacked since 2016. Some China relevance videos and statement had been posted to the site since 2017. Meanwhile, the volunteers' personal particulars had been leaked in the Pastebin since 2016. The most important thing to know is that the site was protected by Cloudflare, a kind of cloud based DDoS protection and web application firewall (WAF).

I conducted a very simple and quick check on the site some days before yesterday and confirmed that her site was vulnerable to blind sql injection. However, her site has been deleted since yesterday (March 2, 2018, Hong Kong Time).

After a simple search, it was confirmed that the site was developed by OneTeam.hk. Some other sites that are developed by them has been obtained by Google search and from their official site. Another quick and simple tests on those sites has been conducted.

The result shows that about 18 web sites are vulnerable to sql injection vulnerability. It seems that those sites are developed by a vulnerable library.

The url of those sites are listed at the below for reference. It may not be a completed list. I do not responsible to any lost or/and damages caused once those sites have been disclosed. You have been warned that you will be put into the jail when you attack or doing evil on those sites.

Finally, some web developers in Hong Kong cannot build a secure web site properly. They believed that Cloudflare can protect the sites in a very secure manner. Cloudflare WAF can be bypassed very easily. Before investing money to your web sites, please consider the ability of the web developers and the security of the web applications.

Vulnerable sites :


Non vulnerable sites :


That's all! See you.