## https://sploitus.com/exploit?id=8B82F465-11C2-53FE-83BF-B7F8BFF25851
# π Project 2 β WAF Rule Development & Evasion Testing
**Project:** Web Application Security β Project 2
**Summary:** This repository demonstrates building and testing ModSecurity WAF rules on Apache to detect and block SQL injection (SQLi) and related evasion attempts against a deliberately vulnerable PHP application.
> β οΈ **Important:** All testing and tools in this repository are intended for **lab use only**. Do **NOT** run attacks or scans against systems you do not own or do not have explicit permission to test.
---
Repository structure
```
.
βββ modsecurity-custom.conf # Custom ModSecurity rules (example)
βββ login.php # Vulnerable PHP test application
βββ Project_2_WAF_Report.docx # Detailed project report (screenshots & results)
βββ README.md # This file
```
---
Contents & Goals
This project demonstrates:
- Installing and configuring **ModSecurity** with Apache.
- Creating targeted ModSecurity rules (example: detecting `UNION SELECT` SQLi).
- Performing **baseline** and **evasion** testing (obfuscation, URL-encoding, comments).
- Enabling and analysing ModSecurity audit logs.
- Iterating and hardening rules to reduce false positives and defeat evasion.
---
Prerequisites
Test environment options (choose one):
- **Linux VM** (Ubuntu / Kali) β recommended (isolated lab)
- **Kali Linux** β useful because it includes many testing tools
- **WSL2** with Ubuntu β possible but networking differences may apply
Minimum software:
- Apache HTTP Server (`apache2`)
- ModSecurity (`libapache2-mod-security2`)
- PHP (`php`, `libapache2-mod-php`)
- curl (for test requests)
- Optional: Burp Suite / OWASP ZAP, sqlmap (for evasion testing)
---
Quick install (Ubuntu / Kali)
Run these commands in the terminal:
```bash
# update system
sudo apt update && sudo apt upgrade -y
# install required packages
sudo apt install -y apache2 libapache2-mod-security2 php libapache2-mod-php \
curl nano vim unzip git build-essential net-tools
```
Enable ModSecurity and restart Apache:
```bash
sudo a2enmod security2
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf
sudo systemctl restart apache2
```
---
## Deploy the vulnerable app
Place the test application in Apache web root:
```bash
# from repository root (where login.php exists)
sudo cp login.php /var/www/html/
sudo chown www-data:www-data /var/www/html/login.php
```
Open a browser and visit:
- `http://localhost/login.php` (if working locally)
- `http:///login.php` (if using a VM with bridged networking)
---
## Add the custom WAF rule
Copy the included rule file to Apache config and enable it:
```bash
sudo cp modsecurity-custom.conf /etc/apache2/conf-available/
sudo a2enconf modsecurity-custom
sudo systemctl reload apache2
```
**Example rule (contained in `modsecurity-custom.conf`):**
```apache
SecRule ARGS_POST "@rx (?i)union\s+select" \
"id:10001,phase:2,block,msg:'SQL Injection Attempt Detected (UNION SELECT)'"
```
> This is intentionally simple for demonstration. See βHardeningβ below for improved rules.
---
## Baseline testing
1. Visit the login page and submit a **benign** username (e.g., `admin`) β expected: HTTP 200, app echoes input.
2. Submit a **basic SQLi** payload in the username field:
```
test' UNION SELECT 1,2,3--
```
Expected: **403 Forbidden** (blocked by the rule) and an entry in ModSecurity logs.
You can also POST with `curl`:
```bash
curl -i -X POST -d "username=test' UNION SELECT 1,2,3--&password=pass" http://localhost/login.php
```
---
## Evasion testing (examples)
Try these variants (lab only) to test evasion:
- Mixed case: `test' UnIoN SeLeCt 1,2,3--`
- Comment obfuscation: `test' UNI/**/ON SELECT 1,2,3--`
- URL encoding: `test'%20UNION%20SELECT%201,2,3--`
- Double-encoding/null byte: `union%2500select`
Use curl loop to automate tests (example):
```bash
payloads=(
"test' UNION SELECT 1,2,3--"
"test' UNI/**/ON SELECT 1,2,3--"
"test' UnIoN SeLeCt 1,2,3--"
)
for p in "${payloads[@]}"; do
code=$(curl -s -o /dev/null -w "%{http_code}" -X POST -d "username=${p}&password=pass" http://localhost/login.php)
echo "\"${p}\", $code"
done
```
Record results to `evasion_results.csv` for reporting.
---
## Logging & analysis
Enable audit logging in `/etc/modsecurity/modsecurity.conf`:
```conf
SecAuditEngine On
SecAuditLogParts ABDEFHIJZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
```
Make sure the file exists and permissions allow root/adm to write:
```bash
sudo touch /var/log/apache2/modsec_audit.log
sudo chown root:adm /var/log/apache2/modsec_audit.log
sudo chmod 640 /var/log/apache2/modsec_audit.log
```
Tail the logs while testing:
```bash
sudo tail -f /var/log/apache2/error.log /var/log/apache2/modsec_audit.log
```
Audit entries include the raw request, matched variables, rule IDs, and transformation info.
---
## Hardening rules (recommended)
Use transformations and chaining to defeat evasion and reduce false positives:
```apache
SecRule ARGS_POST "@rx union\s+select" \
"id:10011,phase:2,deny,log,auditlog,msg:'SQLi Attempt (UNION SELECT)',t:urlDecodeUni,t:lowercase,t:compressWhitespace,t:htmlEntityDecode"
```
Chaining example:
```apache
SecRule ARGS "@rx (?i)union" "id:10100,phase:2,pass,log,chain"
SecRule ARGS "@rx (?i)select" "t:lowercase,deny,msg:'Chained SQLi detection'"
```
Also consider enabling the **OWASP CRS** (Core Rule Set) in detection-only mode first, tune, then enable blocking.
---
## Troubleshooting
- **No DNS / `apt` fails:** check network, `ping 8.8.8.8`. If DNS broken, add `nameserver 8.8.8.8` to `/etc/resolv.conf` or configure `systemd-resolved`.
- **ModSecurity not loaded:** `sudo apache2ctl -M | grep security2` β if not present, run `sudo a2enmod security2` and restart.
- **Audit log missing:** confirm `/etc/modsecurity/modsecurity.conf` contains `SecAuditLog /var/log/apache2/modsec_audit.log` and that the log file exists.
- **Rule not firing:** confirm your custom conf is enabled (`ls /etc/apache2/conf-enabled/`), and check `sudo apache2ctl configtest` and `/var/log/apache2/error.log`.
---
## Deliverables (what to include in the repo)
- `modsecurity-custom.conf` β final/hardened rules with comments and rule ids
- `login.php` β vulnerable app used for testing
- `Project_2_WAF_Report.docx` β full report (screenshots, logs, EV results)
- `evasion_results.csv` β test payloads and outcomes (recommended)
- `README.md` β this file
---
## Contributing & Notes
- This repository is a training/lab resource. If you improve rules or add automated tests, please open a PR with details and evidence (logs, test results).
- Always test rules in an isolated environment before deploying to production.
---
## License
Use and distribute for educational purposes. You can add your preferred license (e.g., MIT) here.
---
## References
- ModSecurity project β https://www.modsecurity.org/
- OWASP CRS β https://coreruleset.org/
- Kali Linux / Debian package repositories