0x00 Preface
X-WAF is a cloud WAF system suitable for small and medium-sized enterprises, allowing small and medium-sized enterprises to have their own free cloud WAF very conveniently. This article starts from the code and understands the working principle of WAF step by step
. Perform WAF Bypass.
0x01 Environment construction
Official website: https://waf.xsec.io
github source code: https://github.com/xsec-lab/x-waf
After downloading and installing X-WAF, set the SQL injection point of the reverse proxy access structure
0x02 Code Analysis
First look at the overall directory structure.
The nginx_conf directory is a reference configuration (deletable). The rules directory stores the filtering rules init.lua loading rules, the access.lua program starts, and the main logic implementation of the config.lua configuration file is all in util.lua and waf.lua file.
The code logic is very simple, let’s familiarize ourselves with the detection process first. The program entry is in waf.lua line 262-274
-- waf start function _M.check() if _m.white_ip_check() then elseif _m.black_ip_check() thenelseif _m.user_agent_attack_check () then elseif _m.white_url_check() then elseifM.ur1_attack_check() then elseif _m.cc_attack_check) then elseif _m.cookieattack_check(then elseif _m.urlargs_attack check() then elseif M.post attack check) then else return nend