Share
## https://sploitus.com/exploit?id=F55BD786-99F0-52B3-9E66-7C016A9BF095
# BASTION โ€” Web Application Firewall Simulator

> A real-time Web Application Firewall (WAF) simulator that detects and blocks OWASP Top 10 attack patterns โ€” SQL injection, XSS, path traversal, command injection, XXE, SSRF, LDAP injection, and more.

---

## ๐Ÿ” The Problem

Web applications are the most targeted attack surface in modern cybersecurity. The OWASP Top 10 represents the most critical security risks โ€” and most breaches still exploit these same well-known vulnerabilities. BASTION demonstrates how a WAF detects and blocks these attacks in real time, and teaches developers what to do about them.

---

## ๐Ÿ’ก What It Does

BASTION is a Flask web application that simulates a Web Application Firewall. Submit any HTTP request (GET, POST, PUT, DELETE) with any payload, and BASTION's rule engine runs it through 8 WAF rule sets covering the OWASP Top 10. Results show the attack type, OWASP classification, severity, and concrete mitigation steps.

### Detection Coverage

| Rule ID | Attack Type | OWASP Category | Severity |
|---------|------------|----------------|---------|
| SQLI-001 | SQL Injection | A03:2021 โ€” Injection | CRITICAL |
| XSS-001 | Cross-Site Scripting | A03:2021 โ€” Injection | HIGH |
| PT-001 | Path Traversal | A01:2021 โ€” Broken Access Control | HIGH |
| CMDI-001 | Command Injection | A03:2021 โ€” Injection | CRITICAL |
| XXE-001 | XML External Entity | A05:2021 โ€” Security Misconfiguration | HIGH |
| SSRF-001 | Server-Side Request Forgery | A10:2021 โ€” SSRF | HIGH |
| LDAP-001 | LDAP Injection | A03:2021 โ€” Injection | HIGH |
| OPEN-REDIRECT-001 | Open Redirect | A01:2021 โ€” Broken Access Control | MEDIUM |

---

## ๐Ÿงช Real Test Results

**SQL Injection โ€” `' OR 1=1--` on `POST /login`**
- Detected: SQL Injection โ€” CRITICAL
- OWASP: A03:2021 โ€” Injection
- Action: REQUEST BLOCKED
- Mitigation: Use parameterised queries / prepared statements

**Normal Login โ€” `username=alice&password=SecurePass123`**
- Detected: No threats
- Action: REQUEST ALLOWED โœ…

**Block Rate across 11 test requests: 82% (9 blocked, 2 allowed)**

---

## ๐Ÿ› ๏ธ Tech Stack

| Layer | Technology |
|-------|-----------|
| Backend | Python 3, Flask |
| WAF Engine | Custom regex rule engine (8 rule sets, 40+ patterns) |
| Attack DB | OWASP Top 10 aligned rule library |
| Frontend | HTML5, CSS3, Vanilla JavaScript |
| Fonts | Google Fonts (Orbitron, Share Tech Mono) |

---

## ๐Ÿš€ How to Run

**Requirements:** Python 3.8+

```bash
# 1. Install Flask
pip3 install flask

# 2. Navigate to project folder
cd bastion-waf-simulator

# 3. Launch BASTION
python3 app.py

# 4. Open browser at:
# http://127.0.0.1:5005
```

Select any pre-built attack example, or type your own payload and hit **ANALYZE REQUEST**.

---

## ๐Ÿ“ Project Structure

```
bastion-waf-simulator/
โ””โ”€โ”€ app.py    # WAF rule engine + Flask routes + full UI
```

---

## ๐ŸŽฏ What I Learned

Building BASTION required me to understand how each OWASP Top 10 attack actually works at a technical level โ€” not just the name, but the exact patterns attackers use and why they're dangerous.

Key insights:

- **SQL Injection** is still #1 despite being documented since the 1990s โ€” because developers keep concatenating user input into queries
- **SSRF** was behind the 2019 Capital One breach (100 million records) โ€” exploiting the AWS metadata endpoint at `169.254.169.254`
- **XXE** affects document upload features โ€” attackers hide malicious XML in DOCX, SVG, and PDF files
- **Path Traversal** is often overlooked in file download features โ€” `../../../../etc/passwd` is one of the most successful attack strings ever

The key insight: **WAFs are not a complete solution โ€” they're one layer. The fix for every attack in BASTION is better application code, not just better filtering.**

---

## ๐Ÿ”ฎ Future Improvements

- ModSecurity rule format support (CRS โ€” Core Rule Set compatibility)
- Evasion technique detection (URL encoding, hex encoding, case variation)
- Rate limiting simulation
- Custom rule builder UI
- Export blocked requests as a penetration testing report

---

## ๐Ÿ”— Related Projects

- [SENTINEL โ€” Email Threat Analyzer](https://github.com/messi0087an-hub/sentinel-email-analyzer)
- [SHIELD โ€” URL Threat Detector](https://github.com/messi0087an-hub/shield-url-detector)
- [VULCAN โ€” Vulnerability Scanner](https://github.com/messi0087an-hub/vulcan-vuln-scanner)
- [ARGUS โ€” Network Anomaly Detector](https://github.com/messi0087an-hub/argus-anomaly-detector)
- [VAULT โ€” Encrypted File Transfer](https://github.com/messi0087an-hub/vault-secure-transfer)
- [NEXUS โ€” Incident Response Simulator](https://github.com/messi0087an-hub/nexus-ir-simulator)

---

*Built as part of a cybersecurity portfolio for Ngee Ann Polytechnic โ€” Diploma in Cybersecurity & Digital Forensics (EAE 2026)*