First Impressions of SafeLine: The Most Starred Open-Source WAF on GitHub

lulu_liu_c90f973e2f954d7f

Lulu

Posted on August 29, 2024

First Impressions of SafeLine: The Most Starred Open-Source WAF on GitHub

Recently, I decided to set up a blog for my team to store and share our learning notes. Since the server will be publicly accessible, it’s crucial to implement some security measures to prevent the site from being compromised and turned into a botnet node.

Here’s what I needed:
Zero cost, Effective protection, Ease of use

Given these criteria, an open-source WAF seemed like the perfect fit. After researching various options, I settled on SafeLine Community Edition.

Why SafeLine?

SafeLine is a rising star in the open-source WAF space. In just a year since its release, it has surpassed the long-standing leader ModSecurity, boasting over 11.7k stars on GitHub, making it the most popular WAF on the platform.

So, what makes SafeLine so popular? The consensus from users and official documentation can be summed up in five words: “Simple and easy to use.”

What Makes It So Good?

SafeLine Community Edition is a streamlined version of the enterprise-grade SafeLine Web Application Firewall developed by Chaitin Tech. Its core detection capabilities are powered by Chaitin’s pioneering intelligent semantic analysis algorithm. Compared to traditional regex-based methods, this algorithm offers better detection rates, fewer false positives, and higher accuracy, all while consuming significantly less processing time.

Installation and Usage

1. Installation

SafeLine makes it incredibly easy to get started with a one-click installation feature. As long as Docker is installed on your system, deploying SafeLine is a breeze.



bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"


Enter fullscreen mode Exit fullscreen mode

For detailed installation instructions, you can refer to the official documentation: Install SafeLine.

2. Usage

  • Login: The login process is straightforward, so I won’t go into details here.

  • Feature Overview:

    • Data Statistics: The dashboard is clean and intuitive, offering a clear overview of your traffic and security status.

Image description

  • Attack Events: When your server receives potentially harmful requests, SafeLine evaluates them based on the configured protection level to decide whether to block them.

Image description

  • Protected Sites: SafeLine operates as a reverse proxy, filtering and forwarding every packet of data sent to your server.

Image description

Feature Testing (Website Protection)

I conducted some basic tests to evaluate SafeLine’s website protection capabilities:

  • Directory Scanning Test: When a client requests sensitive files from the server, SafeLine intercepts the request. Even if the request doesn’t reach the blocking threshold, it’s logged as an attack event for future warnings.

Image description

  • SQL Injection Test: I used sqlmap to test SQL injection at different protection levels:
    • Observation Mode: SQL injection was easily executed, and SafeLine provided warnings but allowed the requests to pass.

Image description
Image description

  • Balanced Protection: SQL injection was partially blocked. The requests were intercepted based on the User-Agent header triggering keywords, but bypassing this was possible with header spoofing.

Image description
Image description

  • High-Intensity Protection: Most SQL injection attempts were blocked, though some still succeeded. Manual injections weren’t blocked but were logged as warnings. This is more an issue with the test environment—a low-security CTF setup—than with SafeLine itself. In a real-world scenario, SafeLine combined with proper front-end and back-end validation should provide solid protection.

Image description

  • File Upload Test: I tested file upload detection at both balanced and high-intensity protection levels. SafeLine detected PHP backdoor files but didn’t block them (perhaps because they were too basic?).

Image description
Image description

  • RCE Test: Remote Code Execution (RCE) attempts were detected but not blocked, similar to the file upload test.

Image description

Conclusion

While a WAF like SafeLine is a crucial layer of defense for website security, it shouldn’t be the only measure. Personal security awareness is also essential. During development, you should pay special attention to securing critical endpoints like SQL queries, file uploads, and remote command execution to minimize the risk of exploitation.

In conclusion, though this review was a bit rushed, it’s clear that SafeLine Community Edition is a powerful and user-friendly WAF.

💖 💪 🙅 🚩
lulu_liu_c90f973e2f954d7f
Lulu

Posted on August 29, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related