## https://sploitus.com/exploit?id=F55BD786-99F0-52B3-9E66-7C016A9BF095
# BASTION โ Web Application Firewall Simulator
> A real-time Web Application Firewall (WAF) simulator that detects and blocks OWASP Top 10 attack patterns โ SQL injection, XSS, path traversal, command injection, XXE, SSRF, LDAP injection, and more.
---
## ๐ The Problem
Web applications are the most targeted attack surface in modern cybersecurity. The OWASP Top 10 represents the most critical security risks โ and most breaches still exploit these same well-known vulnerabilities. BASTION demonstrates how a WAF detects and blocks these attacks in real time, and teaches developers what to do about them.
---
## ๐ก What It Does
BASTION is a Flask web application that simulates a Web Application Firewall. Submit any HTTP request (GET, POST, PUT, DELETE) with any payload, and BASTION's rule engine runs it through 8 WAF rule sets covering the OWASP Top 10. Results show the attack type, OWASP classification, severity, and concrete mitigation steps.
### Detection Coverage
| Rule ID | Attack Type | OWASP Category | Severity |
|---------|------------|----------------|---------|
| SQLI-001 | SQL Injection | A03:2021 โ Injection | CRITICAL |
| XSS-001 | Cross-Site Scripting | A03:2021 โ Injection | HIGH |
| PT-001 | Path Traversal | A01:2021 โ Broken Access Control | HIGH |
| CMDI-001 | Command Injection | A03:2021 โ Injection | CRITICAL |
| XXE-001 | XML External Entity | A05:2021 โ Security Misconfiguration | HIGH |
| SSRF-001 | Server-Side Request Forgery | A10:2021 โ SSRF | HIGH |
| LDAP-001 | LDAP Injection | A03:2021 โ Injection | HIGH |
| OPEN-REDIRECT-001 | Open Redirect | A01:2021 โ Broken Access Control | MEDIUM |
---
## ๐งช Real Test Results
**SQL Injection โ `' OR 1=1--` on `POST /login`**
- Detected: SQL Injection โ CRITICAL
- OWASP: A03:2021 โ Injection
- Action: REQUEST BLOCKED
- Mitigation: Use parameterised queries / prepared statements
**Normal Login โ `username=alice&password=SecurePass123`**
- Detected: No threats
- Action: REQUEST ALLOWED โ
**Block Rate across 11 test requests: 82% (9 blocked, 2 allowed)**
---
## ๐ ๏ธ Tech Stack
| Layer | Technology |
|-------|-----------|
| Backend | Python 3, Flask |
| WAF Engine | Custom regex rule engine (8 rule sets, 40+ patterns) |
| Attack DB | OWASP Top 10 aligned rule library |
| Frontend | HTML5, CSS3, Vanilla JavaScript |
| Fonts | Google Fonts (Orbitron, Share Tech Mono) |
---
## ๐ How to Run
**Requirements:** Python 3.8+
```bash
# 1. Install Flask
pip3 install flask
# 2. Navigate to project folder
cd bastion-waf-simulator
# 3. Launch BASTION
python3 app.py
# 4. Open browser at:
# http://127.0.0.1:5005
```
Select any pre-built attack example, or type your own payload and hit **ANALYZE REQUEST**.
---
## ๐ Project Structure
```
bastion-waf-simulator/
โโโ app.py # WAF rule engine + Flask routes + full UI
```
---
## ๐ฏ What I Learned
Building BASTION required me to understand how each OWASP Top 10 attack actually works at a technical level โ not just the name, but the exact patterns attackers use and why they're dangerous.
Key insights:
- **SQL Injection** is still #1 despite being documented since the 1990s โ because developers keep concatenating user input into queries
- **SSRF** was behind the 2019 Capital One breach (100 million records) โ exploiting the AWS metadata endpoint at `169.254.169.254`
- **XXE** affects document upload features โ attackers hide malicious XML in DOCX, SVG, and PDF files
- **Path Traversal** is often overlooked in file download features โ `../../../../etc/passwd` is one of the most successful attack strings ever
The key insight: **WAFs are not a complete solution โ they're one layer. The fix for every attack in BASTION is better application code, not just better filtering.**
---
## ๐ฎ Future Improvements
- ModSecurity rule format support (CRS โ Core Rule Set compatibility)
- Evasion technique detection (URL encoding, hex encoding, case variation)
- Rate limiting simulation
- Custom rule builder UI
- Export blocked requests as a penetration testing report
---
## ๐ Related Projects
- [SENTINEL โ Email Threat Analyzer](https://github.com/messi0087an-hub/sentinel-email-analyzer)
- [SHIELD โ URL Threat Detector](https://github.com/messi0087an-hub/shield-url-detector)
- [VULCAN โ Vulnerability Scanner](https://github.com/messi0087an-hub/vulcan-vuln-scanner)
- [ARGUS โ Network Anomaly Detector](https://github.com/messi0087an-hub/argus-anomaly-detector)
- [VAULT โ Encrypted File Transfer](https://github.com/messi0087an-hub/vault-secure-transfer)
- [NEXUS โ Incident Response Simulator](https://github.com/messi0087an-hub/nexus-ir-simulator)
---
*Built as part of a cybersecurity portfolio for Ngee Ann Polytechnic โ Diploma in Cybersecurity & Digital Forensics (EAE 2026)*