Implementarea Web Application Firewall: Ghid de Configurare Securitate WAF
Web Application Firewall-urile ofera protectie critica impotriva atacurilor web. Acest ghid acopera implementarea si configurarea solutiilor WAF pentru securitate completa a aplicatiilor.
Prezentare Generala a Arhitecturii WAF
Motor de Reguli WAF Personalizat
from dataclasses import dataclass, field
from datetime import datetime
from typing import Dict, List, Optional, Set
from enum import Enum
import re
import json
class RuleAction(Enum):
ALLOW = "allow"
BLOCK = "block"
LOG = "log"
CHALLENGE = "challenge"
RATE_LIMIT = "rate_limit"
class ThreatCategory(Enum):
SQL_INJECTION = "sql_injection"
XSS = "cross_site_scripting"
PATH_TRAVERSAL = "path_traversal"
COMMAND_INJECTION = "command_injection"
FILE_INCLUSION = "file_inclusion"
PROTOCOL_ATTACK = "protocol_attack"
BOT = "bot"
SCANNER = "scanner"
RATE_ABUSE = "rate_abuse"
@dataclass
class WAFRule:
id: str
name: str
description: str
phase: str
action: RuleAction
severity: str # critical, high, medium, low
category: ThreatCategory
conditions: List[Dict]
transformations: List[str] = field(default_factory=list)
enabled: bool = True
paranoia_level: int = 1 # 1-4, mai mare = mai strict
class WAFEngine:
def __init__(self, config: Dict = None):
self.config = config or {}
self.rules: Dict[str, WAFRule] = {}
self.ip_reputation: Dict[str, int] = {}
self.paranoia_level = config.get('paranoia_level', 1)
self._load_core_rules()
def _add_sqli_rules(self):
"""Adauga reguli de detectie SQL injection."""
sqli_patterns = [
r"(?i)(\b(union|select|insert|update|delete|drop|create|alter|exec|execute)\b.*\b(from|into|table|database|schema)\b)",
r"(?i)(--|\#|\/\*|\*\/)",
r"(?i)(\bor\b|\band\b)\s*[\d\w'\"]+\s*[=<>]",
r"(?i)(\bwaitfor\b\s+\bdelay\b|\bbenchmark\b\s*\()",
r"(?i)(\bsleep\b\s*\(\d+\))",
r"(?:'|\")?\s*;\s*(drop|truncate|delete|update|insert)",
]
for i, pattern in enumerate(sqli_patterns):
self.rules[f"sqli_{i:03d}"] = WAFRule(
id=f"sqli_{i:03d}",
name=f"SQL Injection Pattern {i+1}",
description=f"Detecteaza pattern SQL injection",
phase="request_body",
action=RuleAction.BLOCK,
severity="critical",
category=ThreatCategory.SQL_INJECTION,
conditions=[{
"type": "regex",
"target": ["args", "body", "cookies"],
"pattern": pattern
}],
transformations=["lowercase", "url_decode", "html_entity_decode"]
)
def _add_xss_rules(self):
"""Adauga reguli de detectie XSS."""
xss_patterns = [
r"(?i)<script[^>]*>[\s\S]*?</script>",
r"(?i)javascript\s*:",
r"(?i)on\w+\s*=",
r"(?i)<\s*img[^>]+\s*onerror\s*=",
r"(?i)<\s*iframe[^>]*>",
r"(?i)document\.(cookie|domain|write)",
]
for i, pattern in enumerate(xss_patterns):
self.rules[f"xss_{i:03d}"] = WAFRule(
id=f"xss_{i:03d}",
name=f"XSS Pattern {i+1}",
description=f"Detecteaza pattern XSS",
phase="request_body",
action=RuleAction.BLOCK,
severity="high",
category=ThreatCategory.XSS,
conditions=[{
"type": "regex",
"target": ["args", "body", "headers"],
"pattern": pattern
}],
transformations=["url_decode", "html_entity_decode"]
)
def evaluate(self, request) -> Dict:
"""Evalueaza o cerere impotriva tuturor regulilor."""
matched_rules = []
threat_score = 0
# Verifica reputatia IP intai
ip_score = self.ip_reputation.get(request.client_ip, 0)
if ip_score > 80:
return {
"action": RuleAction.BLOCK,
"matched_rules": ["ip_reputation"],
"threat_score": ip_score,
"details": {"reason": "IP reputation block"}
}
# Evalueaza regulile
for rule_id, rule in self.rules.items():
if not rule.enabled or rule.paranoia_level > self.paranoia_level:
continue
if self._rule_matches(rule, request):
matched_rules.append(rule_id)
threat_score += self._get_severity_score(rule.severity)
# Determina actiunea finala pe baza scorului de amenintare
action = self._determine_action(threat_score, matched_rules)
return {
"action": action,
"matched_rules": matched_rules,
"threat_score": threat_score
}Protectie Impotriva Botilor
class BotDetector:
def __init__(self):
self.known_bots = self._load_known_bots()
def _load_known_bots(self) -> Dict:
"""Incarca semnaturi de boti buni si rai cunoscuti."""
return {
"good_bots": {
"googlebot": r"(?i)googlebot",
"bingbot": r"(?i)bingbot",
},
"bad_bots": {
"generic_bot": r"(?i)\bbot\b",
"crawler": r"(?i)crawler|spider|scraper",
"headless": r"(?i)headless|phantom|puppeteer|selenium"
}
}
def analyze(self, request) -> Dict:
"""Analizeaza cererea pentru caracteristici de bot."""
analysis = {
"is_bot": False,
"bot_type": None,
"confidence": 0,
"signals": []
}
# Verifica User-Agent
ua_analysis = self._analyze_user_agent(request.user_agent)
analysis["signals"].append(ua_analysis)
# Verifica pattern-uri cerere
pattern_analysis = self._analyze_patterns(request)
analysis["signals"].append(pattern_analysis)
# Verifica semnale de automatizare
automation_analysis = self._check_automation_signals(request)
analysis["signals"].append(automation_analysis)
# Agregeaza semnale
bot_score = sum(s["score"] for s in analysis["signals"])
analysis["confidence"] = min(100, bot_score)
analysis["is_bot"] = bot_score >= 50
return analysis
def _analyze_user_agent(self, user_agent: str) -> Dict:
"""Analizeaza string-ul User-Agent."""
result = {"type": "user_agent", "score": 0, "details": []}
# Verifica boti buni cunoscuti
for name, pattern in self.known_bots["good_bots"].items():
if re.search(pattern, user_agent):
result["details"].append(f"Bot bun cunoscut: {name}")
result["score"] = -20
return result
# Verifica boti rai cunoscuti
for name, pattern in self.known_bots["bad_bots"].items():
if re.search(pattern, user_agent):
result["details"].append(f"Semnatura bot rau: {name}")
result["score"] = 40
# Verifica UA lipsa sau suspect
if not user_agent or len(user_agent) < 10:
result["details"].append("User-Agent lipsa sau scurt")
result["score"] += 30
return resultIntegrare CI/CD
# .github/workflows/waf-rules.yml
name: WAF Rules Deployment
on:
push:
paths:
- 'waf-rules/**'
jobs:
validate-rules:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Valideaza Sintaxa Regulilor
run: python scripts/validate_waf_rules.py waf-rules/
- name: Testeaza Regulile cu Trafic de Exemplu
run: |
python scripts/test_waf_rules.py \
--rules waf-rules/ \
--traffic test-traffic/samples.json
- name: Verifica False Positives
run: |
python scripts/check_false_positives.py \
--results results/test-report.json \
--threshold 0.01
deploy-production:
needs: validate-rules
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy in Productie WAF
run: |
waf-cli deploy \
--environment production \
--rules waf-rules/ \
--canary 10 \
--canary-duration 30mBune Practici
Configurare WAF
- Incepe in modul detectie: Doar logare inainte de blocare
- Ajusteaza pentru aplicatia ta: Ajusteaza regulile pentru a reduce false positive-urile
- Stratifica apararea: Combina WAF cu alte controale de securitate
- Actualizari regulate: Mentine regulile la zi cu peisajul amenintarilor
Monitorizare si Raspuns
- Monitoreaza ratele de blocare si tendintele false positive
- Configureaza alerte pentru spike-uri de atacuri
- Revizuieste log-urile regulat pentru oportunitati de ajustare
- Implementeaza proceduri de raspuns la incidente
Implementarea WAF ofera protectie esentiala impotriva atacurilor aplicatiilor web cand este configurata si intretinuta corespunzator.
Sistemul tau AI e conform cu EU AI Act? Evaluare gratuita de risc - afla in 2 minute →