express-waf
A small web application firewall for the NodeJS Express framework.
Installation
npm install --save express-waf
Usage
The constructor expects the configuration for the blocker and optional settings as parameters. Blocker configuration includes:
- blockTime: A blacklist timeout which indicates the time after that entries from the blacklist will be removed.
- db: The used database for the blacklist. In the folder "/database" you can find predefined database connectors. If you don't find the connector you need, you may define your own database connector. This connector must define an add-, a remove- and a contains-function.
var ExpressWaf = require('express-waf');
var emudb = new ExpressWaf.EmulatedDB();
var waf = new ExpressWaf.ExpressWaf({
blocker:{
db: emudb,
blockTime: 1000
},
log: true
});
After that you can add additional modules to the firewall. Without these modules the firewall won't block any attacks. The basic functionality only includes a blacklist for evil hosts and a logging mechanism for attacks.
Additional modules can be found in the folder "/modules". This includes, for example a module against SQL Injection attacks or a module against CSRF attacks.
For example, this is how to add the CSRF module:
waf.addModule('csrf-module', {
allowedMethods:['GET', 'POST'],
refererIndependentUrls: ['/'],
allowedOrigins: ['www.example.com']
}, function (error) {
console.log(error);
});
Don't forget to finally add the check method of express-waf as middleware:
app.use(waf.check);
If you forget this step your firewall won't do anything! This is it. Your firewall is now configured to be used with your node.js/express application.
List of Modules
- csrf-module: https://www.owasp.org/index.php/CSRF
- lfi-module: https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
- sql-module: https://www.owasp.org/index.php/SQL_Injection
- xss-module: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Code-Quality
All modules can be tested by using the jasmine-node testing framework:
jasmine-node spec/
Code coverage can be calculated with istanbul:
istanbul cover jasmine-node spec/
Current jenkins report for this project: