WAF is the abbreviation for Web Application Firewall, also known as Web Application Firewall. Different from traditional firewalls, WAF operates at the application layer and has better protection effects on Web systems based on the HTTP/HTTPS protocol, making them immune to attacks by hackers.
In recent years, the economic growth rate has begun to slow down, and cost awareness among technology companies has increased, making security expenditures more rational. This has led to the development of open-source security projects in China, as evidenced by the active level of the related topic of github waf, where the top domestic projects surpass those from overseas.
There are at least a few thousand WAF projects that can be found publicly on the Internet, but most of them are of experimental Demo nature, lack engineering, lack of deployment cases, and have not been verified by large-scale traffic. In fact, projects that can be called products are less than 1%. After reviewing a large amount of information, and after actually deploying and testing dozens of WAF products, I have selected ten representative projects. The following will introduce them one by one.
Common Indicators for Evaluating WAFs
As a website administrator, how should one choose a WAF suitable for themselves? The following are several of the most commonly concerned indicators
Protection Effect: Mainly two dimensions, whether it can prevent attacks and whether it will affect ordinary users
Technical Advancement: The technical competitiveness of the protection engine, whether it has the ability to counter advanced attacks
Project Quality: This article will evaluate from the perspectives of functional completeness, open-source code quality, document completeness, etc.
Community Recognition: Reflects the reputation and influence of the project in the user community. This article will use the GitHub Star count as the evaluation basis
Community Activity: Reflects the potential, the higher the activity, the faster the development. This article will use the participation of community users and the enthusiasm of the author to maintain the project as the evaluation basis
Project List
Let's take a look at the overall rating table first
| Project Name | Developers | Overall Rating |
|---|---|---|
| ModSecurity | SpiderLabs | 5 |
| Leichi Community Edition | Changting Technology | 5 |
| coraza | coraza | 4 |
| Nanqiang | You'an Technology | 3 |
| JANUSEC | JANUSEC | 3 |
| VeryNginx | loveshell | 2 |
| httpwaf | Idle Person | 2 |
| JinYiDun | jx-sec | 1 |
| NGX_WAF | ADD-SP | 1 |
| NAXSI | NBS SYSTEM | 1 |
ModSecurity
Homepage: https://www.modsecurity.org/
ModSecurity is an established open-source WAF engine with a wide user base. In the early years, it was only suitable for Apache, but after the 2.X reconstruction, it now also supports IIS and Nginx. As a WAF engine, compared to integrated WAF projects, it requires secondary development to be used, which is slightly more costly for users. ModSecurity is integrated as the core engine by many other open-source WAFs, enjoys high recognition in the open-source community, and actual protection is mainly based on regular expressions, covering relatively comprehensively, but it is easy to be bypassed. It was abandoned by its parent company recently, and it is not yet known whether it will continue to be maintained in the future.
Protection Effect: The basic detection effect is good, but the rules are not friendly to the domestic environment, prone to false positives
Technical Advancement: Although lacking advanced defense capabilities, it enjoys high recognition in the tech circle, is integrated into many open-source projects, and the ecosystem is a technical barrier
Project quality: No console, the project is completely open source, and the documentation is rich
Community Recognition: 6400 stars, the highest star count among global WAF projects
Community Activity: Continuously updated, with 3 versions updated in the past year
Leichi Community Edition
Homepage: https://waf-ce.chaitin.cn/
The Leichi Community Edition is refined from the enterprise version of the Leichi Web Application Protection System by Chaitin Technology. The core detection capability is driven by the intelligent semantic analysis algorithm first created by Chaitin. The project has opened the core engine of the semantic analysis algorithm and related security plugins, and the console is not open-source. The advantages are good protection effect, fast project iteration, clean and easy-to-use interface. The disadvantages are that the community edition has fewer functions than the enterprise edition, but it can meet the basic needs of WAF.
Protection Effect: Good protection effect against both general vulnerabilities and non-general vulnerabilities, with few false positives
Technical Advancement: The core technology is semantic analysis algorithm, which has higher anti-attackability and better performance compared to regular expression rules
Project Quality: Equipped with all basic capabilities of WAF, the project is not completely open-source, and the documentation is relatively comprehensive
Community Recognition: 12,000 stars, over 280,000 installations
Community Activity: Continuously updated, with over 100 versions updated in the past year
Coraza
Homepage: https://coraza.io/
Coraza is an open-source, high-performance WAF engine written in Go language, supporting ModSecurity SecLang rule set, and fully compatible with OWASP core rule set. Like ModSecurity, it does not provide an interface and only serves as a detection engine, which requires secondary development to be used and has the potential to become a substitute for ModSecurity.
Protection effect: Basic detection capabilities are still acceptable, but lacks protection rules for non-standard vulnerabilities, and is prone to false positives
Technical Advancement: Detection rules depend on LibInjection, ModSecurity, OWASP projects
Project quality: No console, the project is completely open source, and the documentation is rich
Community Recognition: 1200 Stars
Community activity: Continuously updated, with 4 versions updated in the past year
VeryNginx
Homepage: https://github.com/alexazhou/VeryNginx
VeryNginx is a WAF extension program deeply integrated with Nginx. Compared with other Nginx extensions, VeryNginx is one of the few WAF projects that provide a console. VeryNginx does not provide a core detection engine and the rule part depends on third-party libraries. VeryNginx has 5900 stars on github, which is the highest star number among domestic WAF projects. The biggest problem with this project is that it has been neglected for many years, the rule library has not been updated for many years, the project has basically stopped maintenance, which is very regrettable.
Protection Effect: Rules are simple, with basic protection capabilities, but a bit outdated, the rule library has not been updated for 7 years
Technical Advancement: Detection rules depend on the third-party ngx_lua_waf project
Project Quality: Equipped with all basic capabilities of WAF, the project is completely open-source, and the documentation is relatively comprehensive
Community Recognition: 5900 Stars
Community Activity: Not updated for 4 years
NAXSI
Homepage: https://github.com/nbs-system/naxsi
NAXSI is a WAF engine specifically designed for Nginx, with the output form being a Nginx dynamic extension. After compilation, you can modify the Nginx configuration file to take effect. NAXSI does not provide a console, as a WAF engine, it is not as麻烦 as ModSecurity, but the cost of using it is still higher than that of integrated WAF projects. The detection capabilities depend on the LibInjection project, and only support SQL injection and XSS detection, and it is not recommended for online use.
Protection effect: The detection rate for general vulnerabilities is relatively high, but the false positives are also very high, and it only supports SQL injection and XSS detection
Technological advancement: Core capabilities depend on the LibInjection project
Project quality: No console, the project is completely open source, and the documentation is rich
Community recognition: 4300 Stars
Community activity: Occasionally updated, basically not maintained
NGX_WAF
Homepage: https://github.com/ADD-SP/ngx_waf
NGX_WAF is a domestic Nginx extension type WAF engine project (there are really a lot of such projects). NGX_WAF does not provide a console, as a WAF engine, it is not as麻烦 as ModSecurity, but the cost of using it is still higher than that of integrated WAF projects. The core capabilities of NGX_WAF are based on LibInjection and ModSecurity, the same as other WAF projects that refer to third-party open-source rule libraries. The overseas rule library has poor adaptability to the domestic Internet environment, is prone to false positives, and lacks rules for non-standard vulnerabilities.
Protection effect: Basic detection capabilities are still acceptable, but lacks protection rules for non-standard vulnerabilities, and is prone to false positives
- Technological advancement: Detection rules depend on LibInjection and ModSecurity projects
Project quality: No console, the project is completely open source, and the documentation is sparse
Community recognition: 1300 Stars
Community activity: Occasionally updated, 2 versions have been updated in the past year
Nanqiang
Homepage: https://waf.uusec.com/
Nanqiang WEB Application Firewall (shortened as: uuWAF) is a comprehensive website protection product launched by AnTech. It is independently developed based on AnTech's exclusive WEB intrusion anomaly detection technology, combined with the team's many years of offensive and defensive theories and emergency response experience in application security. The drawback is that it cannot be upgraded, and a new version needs to be uninstalled and reinstalled.
Protection effect: The detection effect for SQL, XSS, RCE, LFI these four types of attacks is good, but lacks protection rules for non-standard vulnerabilities
Technical advancement: Equipped with basic semantic detection capabilities, supporting traffic modeling through machine learning
Project quality: Equipped with basic WAF capabilities, the project is not open-source, and the documentation is relatively complete
Community recognition: 198 Stars
Community activity: Fast iteration, with 7 versions updated in the past year
JANUSEC
Homepage: https://www.janusec.com/
JANUSEC is an open-source Web application security gateway software with the advantage of rich features, including load balancing, WAF, identity authentication, certificate management, and bastion host functions. The disadvantage is that the WAF security protection capability is relatively weak, only able to protect some simple attacks, suitable for webmasters with low security protection requirements.
Protection effect: The WAF protection function is relatively weak, only some simple regular rules
Technical advancement: Mainly based on regular expressions, without other protection engines, insufficient ability to counter high-intensity attacks
Project quality: Rich features, open-source project, abundant documentation
Community recognition: 1000 Stars
Community activity: Continuously updated, with 4 versions updated in the past year
HTTPWAF
Homepage: https://github.com/httpwaf/httpwaf2.0
HTTPWAF is officially claimed to be a truly web management backend web application firewall that is permanently free. It can be directly deployed on the WEB server and can also be independently deployed to protect the backend server. It is a project with very rich features in the free WAF field, with acceptable basic detection capabilities, but lacks the ability to counter high-intensity attacks. As a free product, the source code, documentation, and installation packages are not publicly provided, and you need to add WeChat to obtain them.
Protection effect: Basic protection capabilities are acceptable, lacking detection rules for non-standard vulnerabilities
Technical advancement: Little information, unable to make a judgment
Project quality: Rich features, decent interaction, but the code and documentation are not open
Community recognition: 65 Stars
Community activity: Not much community content
JinYiDun
Homepage: https://www.jxwaf.com/
JinYiDun (JXWAF) is a next-generation Web application firewall developed based on OpenResty. The innovative business logic protection engine and machine learning engine can effectively protect business security risks, solving the pain points that traditional WAFs cannot protect business security.
Protection effect: Basic protection capabilities are weak, detection effect on non-standard vulnerabilities is not good, false positives are somewhat serious
Technical advancement: Simple rules, insufficient ability to counter high-intensity attacks
Project quality: Few features, not very user-friendly interaction, open-source project, code quality is not high, documentation is basically complete
Community recognition: 965 Stars
Community activity: Continuously updated, with 1 version updated in the past year
评论已关闭