Code Monkey home page Code Monkey logo

blazehttp's Introduction

BlazeHTTP

简体中文 | English

BlazeHTTP 是一款简单易用的 WAF 防护效果测试工具。

  • 📦 样本丰富:目前总样本33669条,持续更新中...
  • 🚀 无需配置:提供图形化界面和命令行版本,可直接通过 Release 下载预编译版本,也可以克隆代码本地自行编译
  • 📖 报告导出:导出所有样本的执行结果,包括样本属性,执行时间,状态码,是否拦截等

测试指标

指标 描述 统计方法
检出率 用来反应 WAF 检测能力的全面性,没有检出即为 ”漏报“。 攻击样本拦截数量
误报率 用来反应对正常流量的干扰,不靠谱的结果即为 ”误报“。 正常样本拦截数量
准确率 准确率是检出率和误报率的综合指标,避免漏报和误报顾此失彼。
检测耗时 用来反应 WAF 性能,耗时越大则性能越差。

样本示例

# 正常样本:testcases/00/02/5ebf56a710da27b73a9ad59219f0.white
GET /[email protected]/lib/hooks/useHeights.js HTTP/1.1
Host: npm.staticblitz.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: */*
Origin: https://stackblitz.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://stackblitz.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7

# 黑样本:testcases/8a/36/0bbc7685860c526e33f3cbd83f9c.black
GET /vulnerabilities/sqli_blind/?id=1%27+or+%27%27%3D%27&Submit=Submit HTTP/1.1
Host: 10.10.3.128
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.3.128/vulnerabilities/sqli_blind/?id=1%27+and+%27%27%3D%27&Submit=Submit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

测试效果

CloudFlare vs ModSecurity vs 雷池

指标 CloudFlare,免费版本 ModSecurity,PARANOIA级别1 ModSecurity,PARANOIA级别4 SafeLine,免费版本,平衡模式 SafeLine,免费版本,严格模式
总样本数量 33669 33669 33669 33669 33669
成功 33350 33669 33669 33669 33669
错误 319 0 0 0 0
检测率(越高越好) 10.70%(恶意样本总数:570,正确拦截:61,漏报:509) 69.74%(恶意样本总数:575,正确拦截:401,漏报:174) 🏆 94.61%(恶意样本总数:575,正确拦截:544,漏报:31) 71.65%(恶意样本总数:575,正确拦截:412,漏报:163) 76.17%(恶意样本总数:575,正确拦截:438,漏报:137)
误报率(越低越好) 0.07%(正常样本总数:32780,正确放行:32757,误报:23) 17.58%(正常样本总数:33094,正确放行:27275,误报:5819) 52.46%(正常样本总数:33094,正确放行:15732,误报:17362) 🏆 0.07%(正常样本总数:33094,正确放行:33071,误报:23) 0.22%(正常样本总数:33094,正确放行:33021,误报:73)
准确率(越高越好) 98.40%(正确拦截 + 正确放行)/ 总样本数量 82.20%(正确拦截 + 正确放行)/ 总样本数量 48.34%(正确拦截 + 正确放行)/ 总样本数量 🏆 99.45%(正确拦截 + 正确放行)/ 总样本数量 99.38%(正确拦截 + 正确放行)/ 总样本数量
平均时间 288.96 毫秒 31.15 毫秒 28.89 毫秒 70.05 毫秒 64.34 毫秒

安装使用

Docker 容器运行

# 下载镜像
docker pull chaitin/blazehttp:latest
# 开始测试 http://127.0.0.1:9444 是 WAF 的地址 (根据实际情况修改)
docker run --rm --net=host chaitin/blazehttp:latest /app/blazehttp -t <http://127.0.0.1:9444>

GitHub CI 预编译的产物已上传 Release,可以直接下载最新的版本使用。

命令行运行

blazehttp_cmd

GUI 运行 (MacOS & Windows)

如果 MacOS 双击打开报错不受信任或者移到垃圾箱,执行下面命令后再启动即可:

sudo xattr -d com.apple.quarantine blazehttp_1.0.0_darwin_arm64.app

gui

本地编译

项目只依赖了 Go 语言,首先你的环境上需要有 Go,可以在这里下载

命令行版本

# 克隆代码
git clone https://github.com/chaitin/blazehttp.git && cd blazehttp
# 本地编译
bash build.sh # 执行后在 build 目录下看到 blazehttp
# 运行
./blazehttp -t https://example.org

GUI 版本

GUI 是基于 fyne 实现。

# 克隆代码
git clone https://github.com/chaitin/blazehttp.git && cd blazehttp
# 本地运行
go run gui/main.go
image

如果需要本地打包,可以参考 fyne 的打包文档 如果需要跨平台打包,也可以参考 fyne-cross

贡献代码

期待大佬们的贡献,添加新样本,新功能,修复 Bug,优化性能等等等等都非常欢迎👏

Star

用起来还不错的话,帮忙点个 Star ✨

blazehttp's People

Contributors

kingfs avatar phxa1 avatar xiaomakuaiz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

xiaoputaoya gscr10 sec-fork zer0yu nyx2022 likeww fanc1er starrysec zfg88287508 roshandev hiaxin xiju2003 showsmall zillachan dnsoa nian0114 pengge eailoo feel-easy shiikoe co0ontty ictliuxiao xmy-yan carlzhang123 laozhudetui hellojph servicefoundation 1823616178 donge pa55w0rd aur0ra-m bgrstar zhangli344236745 tangxiucai2 buyang0911 icodein andyoulovexy luochaolun zeroblock0 xyduane darcychen2010 kingsun0 shenliehuozhi gm-lwhh blank-1 wangyi1310 seepine xiaomakuaiz github-user-6 safe1ine longlycsu honsunrise weweaaa chgsyh anfutest shuaibibobo ghostion wuchengqun happystjava

blazehttp's Issues

[Feature Request] 更多的测试用例

Describe the feature request

更多的测试用例 please sir

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Others

针对恶意样本提供相关说明

Describe the feature request

现有的恶意样本缺乏攻击说明,覆盖了哪些攻击能力检测不太直观,希望提供一些恶意样本的攻击说明

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Others

[Feature Request] 可以做到目标批量吗?

Describe the feature request

看help里-t参数只能针对单个目标测试,但实际可能需要针对很多的目标。

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Others

测速速度比较慢

Describe the feature request

image

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Others

[Feature Request] 无法获取未拦截哪些恶意请求payload

Describe the feature request

是否把恶意请求未拦截的,直接在结果里面显示出来呢?不然有时候在做排查的时候,不知道什么样的恶意请求未被拦截。

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Others

[more demo code for how to use it]

Describe the feature request

Hi, could you add some demo code how to import and use it as library?

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Others

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.