Skip to content

akshatcore/Simulation-Sandbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
simulate_traffic.py
simulate_traffic.py
 
 
target_app.py
target_app.py
 
 

Repository files navigation

🧪 Universal WAF Testing Sandbox

To properly evaluate a Web Application Firewall (WAF), you need two things: a fragile target to protect, and a relentless attacker to defend against. This sandbox provides an isolated, local environment to test the routing, payload inspection, and rate-limiting capabilities of any reverse-proxy WAF.

Sandbox Components

  1. target_app.py (The Vulnerable Vault) A deliberately vulnerable Flask backend (defaults to Port 8080). It features:

    • Active Tripwires: If a malicious payload (SQLi, XSS, LFI) successfully bypasses your WAF and hits the backend, it instantly triggers a bright red "CRITICAL BREACH" screen.
    • Live Traffic AJAX Counter: Legitimate traffic safely forwarded by your WAF increments a live UI counter without requiring page reloads, proving your WAF is allowing safe packets through.

  2. traffic.sh (The Attacker) An automated Bash script that simulates realistic web traffic. It continuously fires a randomized mix of:

    • Safe Traffic: Spoofed with a standard Google Chrome User-Agent to test if your WAF allows normal human users.
    • Malicious Payloads: Injects SQLi, XSS, and Directory Traversal attempts to test your WAF's Deep Packet Inspection (DPI) and Rate Limiters.

How to Run a WAF Simulation

Step 1: Configure Your WAF Ensure the WAF you are testing is configured to act as a reverse proxy, forwarding clean traffic to http://127.0.0.1:8080. Start your WAF (e.g., on Port 5000 or 80).

Step 2: Start the Vulnerable Target Open a terminal and launch the backend vault:

python target_app.py

Keep this running and open http://127.0.0.1:8080 in your browser. Leave it visible to watch the live counter.

Step 3: Target the WAF Open traffic.sh and ensure the target variable is pointed at your WAF's IP and Port, not the backend target directly.

# Example: Point this at your WAF
target="[http://127.0.0.1:5000](http://127.0.0.1:5000)"

Step 4: Launch the Attack Open a new terminal and fire the cannons:

chmod +x traffic.sh
./traffic.sh

Evaluating the Results

If your WAF is functioning correctly, you should observe the following:

  • Your WAF's terminal/dashboard will actively log blocked attacks and rate-limit violations (403/429 status codes).
  • The browser tab monitoring target_app.py (Port 8080) will show the "Safe Requests" counter ticking upward.
  • The backend will remain completely silent regarding attacks, and the red "COMPROMISED" screen will never trigger, proving the WAF successfully absorbed the hits.

About

A live simulation environment featuring a deliberately vulnerable web app and an automated traffic generator for testing Web Application Firewalls (WAF).

Topics

flask cybersecurity penetration-testing bash-script security-testing traffic-generator vulnerable-app waf-testing

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages