Jinyi Shield: Introduction of open source WEB application firewall

xwaf (silk clothing and shield) is a based on openresty (nginx + lua) to develop next-generation web application firewall, the original business logic protection engine and machine learning engine can effectively protect business security risks, solve the traditional WAF security services can not be protection pain points.
jxwaf

DjangoPython3

jxwaf (silk clothing and shield) is a based on openresty (nginx + lua) to develop next-generation web application firewall, the original business logic protection engine and machine learning engine can effectively protect business security risks, the business can not solve the traditional WAF conduct security protection pain points. Semantic analysis engine with built-in machine learning engine to avoid the traditional WAF rules overlay too much result in slowdowns problems, while enhancing the accuracy of detection (low false positives, low false negative).
Feature function

        base attack protection
            SQL injection attacks,
            XSS attacks
            directory traversal vulnerability
            command injection attacks
            WebShell upload protection
            scanner attacks ...
        machine learning
            support vector machine (SVM)
        semantic analysis
            of SQL injection semantic analysis
            XSS attack semantic analysis
        business logic vulnerability protection
            registration protection
            landed protection
            anti activity brush
            SMS bombs Protection
            ultra vires Vulnerability Protection
            SMS verification code to bypass the protection, check ...
        Senior CC attack protection
            available for different URL, request different parameter settings individually different variables protection
            CAPTCHA
        Cookie security
        front-end parameter encryption protection
            to support AES encryption and decryption
            support DES plus decryption
            support for RSA encryption and decryption
        transparent deployment of dynamic password function
            provides dynamic password (OTP) to back office systems and website features a user
        detection caching feature
            on WAF has been detected MD5 request caching to improve the detection efficiency
        to support protocol
            HTTP / HTTPS
        performance & reliability
            millisecond response time of less than one millisecond request processing
            master-Slave deployment, single point of failure
            cluster-reverse proxy mode deployment, large data traffic process can
            support embedded deployment, without changing the original network topology
            to support cloud pattern deployment
        management function
            Basic Configuration
            Rules Configuration
            reports show
            alarm configuration

Architecture architecture

jxwaf (Jinyi shield) by the jxwaf and jxwaf management centers:

    jxwaf: Based openresty (nginx + lua) Development
    jxwaf Management Center: HTTP: //www.jxwaf.com

Environment Environmental

    jxwaf
        Centos . 7
        Openresty 32 1.11.2.4

the install installation

to download the code to / tmp directory, file operation jxwaf_install.sh, jxwaf installed in the / opt / jxwaf directory, as follows:

        $ CD / tmp
        $ Git clone https://github.com/jx the -sec / jxwaf.git
        $ CD jxwaf
        $ SH install_waf.sh

        after installation is shown below the installation was successful i.e.

        nginx: the configuration file /opt/jxwaf/nginx/conf/nginx.conf syntax is ok

        nginx: configuration file /opt/jxwaf/nginx/conf/nginx.conf test is successful
        visit http://www.jxwaf.com and registered account, the WAF rule management -> check out the official rules page load set rules in accordance with their needs, after the WAF rule configuration -> WAF global configuration page for "WAFAPIKEY"

        modify /opt/jxwaf/nginx/conf/jxwaf/jxwafconfig.json in "waf_api_key" for your own account "wAF_API_KEY"

        $ / opt / jxwaf / nginx / sbin / nginx start openresty, openresty automatically to jxwaf management center to pull in the rules configured by the user at startup or reload the

Docs document

    JXWAF instructions
    based Openresty achieve business security
    transparent deployment of dynamic password function based Openresty achieve
    Cookie WAF development of security

contributor contributor

    chenjc safety engineer
    jiongrizi front-end development engineer

BUG & Requirement BUG & demand

    github to submit questions or needs BUG
    QQ group 730 947 092
    E-mail [email protected]

other other

Currently open source version has been normal use, basic functions and official rules are the basis of the test is completed, small and medium enterprises to meet basic protection needs.

But the feature is not all on the line, there are some features did not migrate from the line to release an open source version, now only on the basis of the line attack protection, Cookie security features and semantic analysis. Other features will continue on the line, depending on the progress of a front-end can snap out of time, the entire year is expected to be able to get finished.

These are stock features, listed below some To do:

    through the rule configuration to achieve data cleaning machine learning, feature extraction, model training, it simply is a lightweight training machine learning - application platform, users can focus on the core features acquisition, other "bad language so hard" to solve the platform, reducing the threshold for application of machine learning. Currently the core functionality has been developed, with other existing functional integration in.
    Command execution, semantic analysis library development code execution
    Official Rules for
    third-party security application interfaces to integrate
    business security scenario development
    report alarm sound
    Cloud WAF system development

Github Address: HTTPS: //github.com/jx-sec/jxwaf

JXWAF management Center: http: //www.jxwaf.com/

this project from the very beginning of the idea to develop now 7788, almost a year. Most began to engage in this project, because the depth of use Modsecurity, found that too many pit Hold live, I can not do a penetration of only WAF developed a career change, then because of occupational diseases, in particular for some time to write easily bypassed local focus, embodied in all aspects of the code, which can be considered a WAF advantage of this.

Then talk about this performance, the results of the current test is less than 1ms, the core module processing time in about 0.001ms, thanks luajit technology, add rules almost no impact. Concurrent words, a single 2G 1 nuclear test in 5000 virtual machine up and down, I have no resources are interested can test the configuration of the physical machine good performance, reaching more than 10K should be no problem. In accordance with prior experience Modsecurity of a single day PV one hundred million or less would not have considered what a performance problem, and not the "rich life" would not have considered a "rich man's disease." As for the situation greatly complicated by traffic on the cluster or can self-study.

A brief summary of the next target user:

    Security a person / Security budget did not
    have WAF WAF budget did not demand security personnel of the company
    to the network / application online secondary verification
    machine-learning protection needs
    have business security needs
    WAF box could not carry, did not want to cloud / cloud not
    have high custom rules / functional requirements of the company

article does not deserve the map, and the need www.jxwaf.com viewing

Finally thanks jsp submit BUG & demand during the closed beta, welcome you submit BUG & demand, there are mandatory pit.
Special column