Share
## https://sploitus.com/exploit?id=8B82F465-11C2-53FE-83BF-B7F8BFF25851
# πŸ”’ Project 2 β€” WAF Rule Development & Evasion Testing

**Project:** Web Application Security β€” Project 2  
**Summary:** This repository demonstrates building and testing ModSecurity WAF rules on Apache to detect and block SQL injection (SQLi) and related evasion attempts against a deliberately vulnerable PHP application.

> ⚠️ **Important:** All testing and tools in this repository are intended for **lab use only**. Do **NOT** run attacks or scans against systems you do not own or do not have explicit permission to test.

---

 Repository structure

```
.
β”œβ”€β”€ modsecurity-custom.conf      # Custom ModSecurity rules (example)
β”œβ”€β”€ login.php                    # Vulnerable PHP test application
β”œβ”€β”€ Project_2_WAF_Report.docx    # Detailed project report (screenshots & results)
└── README.md                    # This file
```

---

 Contents & Goals

This project demonstrates:

- Installing and configuring **ModSecurity** with Apache.
- Creating targeted ModSecurity rules (example: detecting `UNION SELECT` SQLi).
- Performing **baseline** and **evasion** testing (obfuscation, URL-encoding, comments).
- Enabling and analysing ModSecurity audit logs.
- Iterating and hardening rules to reduce false positives and defeat evasion.

---

 Prerequisites

Test environment options (choose one):

- **Linux VM** (Ubuntu / Kali) β€” recommended (isolated lab)
- **Kali Linux** β€” useful because it includes many testing tools
- **WSL2** with Ubuntu β€” possible but networking differences may apply

Minimum software:

- Apache HTTP Server (`apache2`)
- ModSecurity (`libapache2-mod-security2`)
- PHP (`php`, `libapache2-mod-php`)
- curl (for test requests)
- Optional: Burp Suite / OWASP ZAP, sqlmap (for evasion testing)

---


 Quick install (Ubuntu / Kali)

Run these commands in the terminal:

```bash
# update system
sudo apt update && sudo apt upgrade -y

# install required packages
sudo apt install -y apache2 libapache2-mod-security2 php libapache2-mod-php \
    curl nano vim unzip git build-essential net-tools
```

Enable ModSecurity and restart Apache:

```bash
sudo a2enmod security2
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/modsecurity/modsecurity.conf
sudo systemctl restart apache2
```

---

## Deploy the vulnerable app

Place the test application in Apache web root:

```bash
# from repository root (where login.php exists)
sudo cp login.php /var/www/html/
sudo chown www-data:www-data /var/www/html/login.php
```

Open a browser and visit:

- `http://localhost/login.php` (if working locally)
- `http:///login.php` (if using a VM with bridged networking)

---

## Add the custom WAF rule

Copy the included rule file to Apache config and enable it:

```bash
sudo cp modsecurity-custom.conf /etc/apache2/conf-available/
sudo a2enconf modsecurity-custom
sudo systemctl reload apache2
```

**Example rule (contained in `modsecurity-custom.conf`):**
```apache

  SecRule ARGS_POST "@rx (?i)union\s+select" \
    "id:10001,phase:2,block,msg:'SQL Injection Attempt Detected (UNION SELECT)'"

```

> This is intentionally simple for demonstration. See β€œHardening” below for improved rules.

---

## Baseline testing

1. Visit the login page and submit a **benign** username (e.g., `admin`) β€” expected: HTTP 200, app echoes input.  
2. Submit a **basic SQLi** payload in the username field:
   ```
   test' UNION SELECT 1,2,3--
   ```
   Expected: **403 Forbidden** (blocked by the rule) and an entry in ModSecurity logs.

You can also POST with `curl`:

```bash
curl -i -X POST -d "username=test' UNION SELECT 1,2,3--&password=pass" http://localhost/login.php
```

---

## Evasion testing (examples)

Try these variants (lab only) to test evasion:

- Mixed case: `test' UnIoN SeLeCt 1,2,3--`
- Comment obfuscation: `test' UNI/**/ON SELECT 1,2,3--`
- URL encoding: `test'%20UNION%20SELECT%201,2,3--`
- Double-encoding/null byte: `union%2500select`

Use curl loop to automate tests (example):

```bash
payloads=(
"test' UNION SELECT 1,2,3--"
"test' UNI/**/ON SELECT 1,2,3--"
"test' UnIoN SeLeCt 1,2,3--"
)

for p in "${payloads[@]}"; do
  code=$(curl -s -o /dev/null -w "%{http_code}" -X POST -d "username=${p}&password=pass" http://localhost/login.php)
  echo "\"${p}\", $code"
done
```

Record results to `evasion_results.csv` for reporting.

---

## Logging & analysis

Enable audit logging in `/etc/modsecurity/modsecurity.conf`:

```conf
SecAuditEngine On
SecAuditLogParts ABDEFHIJZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
```

Make sure the file exists and permissions allow root/adm to write:

```bash
sudo touch /var/log/apache2/modsec_audit.log
sudo chown root:adm /var/log/apache2/modsec_audit.log
sudo chmod 640 /var/log/apache2/modsec_audit.log
```

Tail the logs while testing:

```bash
sudo tail -f /var/log/apache2/error.log /var/log/apache2/modsec_audit.log
```

Audit entries include the raw request, matched variables, rule IDs, and transformation info.

---

## Hardening rules (recommended)

Use transformations and chaining to defeat evasion and reduce false positives:

```apache
SecRule ARGS_POST "@rx union\s+select" \
  "id:10011,phase:2,deny,log,auditlog,msg:'SQLi Attempt (UNION SELECT)',t:urlDecodeUni,t:lowercase,t:compressWhitespace,t:htmlEntityDecode"
```

Chaining example:

```apache
SecRule ARGS "@rx (?i)union" "id:10100,phase:2,pass,log,chain"
SecRule ARGS "@rx (?i)select" "t:lowercase,deny,msg:'Chained SQLi detection'"
```

Also consider enabling the **OWASP CRS** (Core Rule Set) in detection-only mode first, tune, then enable blocking.

---

## Troubleshooting

- **No DNS / `apt` fails:** check network, `ping 8.8.8.8`. If DNS broken, add `nameserver 8.8.8.8` to `/etc/resolv.conf` or configure `systemd-resolved`.
- **ModSecurity not loaded:** `sudo apache2ctl -M | grep security2` β€” if not present, run `sudo a2enmod security2` and restart.
- **Audit log missing:** confirm `/etc/modsecurity/modsecurity.conf` contains `SecAuditLog /var/log/apache2/modsec_audit.log` and that the log file exists.
- **Rule not firing:** confirm your custom conf is enabled (`ls /etc/apache2/conf-enabled/`), and check `sudo apache2ctl configtest` and `/var/log/apache2/error.log`.

---

## Deliverables (what to include in the repo)

- `modsecurity-custom.conf` β€” final/hardened rules with comments and rule ids
- `login.php` β€” vulnerable app used for testing
- `Project_2_WAF_Report.docx` β€” full report (screenshots, logs, EV results)
- `evasion_results.csv` β€” test payloads and outcomes (recommended)
- `README.md` β€” this file

---

## Contributing & Notes

- This repository is a training/lab resource. If you improve rules or add automated tests, please open a PR with details and evidence (logs, test results).
- Always test rules in an isolated environment before deploying to production.

---

## License

Use and distribute for educational purposes. You can add your preferred license (e.g., MIT) here.

---

## References

- ModSecurity project β€” https://www.modsecurity.org/  
- OWASP CRS β€” https://coreruleset.org/  
- Kali Linux / Debian package repositories