Introduction
Web Application Firewalls (WAF) have long been a standard security solution for protecting web applications. Cloud-based WAFs like AWS WAF and Cloudflare WAF are particularly popular due to their ease of implementation. However, they come with several challenges:
- Limited understanding of application context
- High rate of false positives
- Restricted custom logic implementation
To address these challenges, a new approach called In-app WAF or RASP (Runtime Application Self-Protection) has been gaining attention.
In this post, I'll introduce Waffle, a library for integrating In-app WAF capabilities into Go web applications.
- https://sitebatch.github.io/waffle-website
- https://github.com/sitebatch/waffle-go
What is In-app WAF / RASP?
In-app WAF/RASP is not meant to replace existing cloud WAFs but rather to complement them by embedding WAF functionality directly into your application for enhanced protection.
It can handle common web application attacks like SQL injection and XSS, as well as application business logic attacks such as credential stuffing and brute force attempts.
The key advantage is accurate detection and prevention through complete request context awareness.
Consider this HTTP request for creating a blog post:
POST /blog/post HTTP/1.1
...
{
"title": "What is SQL ?"
"body": "SQL example code: `SELECT * FROM users` ..."
}
If your application uses placeholders to safely construct SQL statements, SQL injection isn't possible. However, cloud-based WAFs that rely on pattern matching would block this request because it contains suspicious SQL-like patterns (the string SELECT * FROM raises SQL injection concerns).
Developers often find themselves tediously adjusting parameters, endpoints, or WAF rules to reduce these false positives. What a cumbersome task!
In contrast, In-app WAF / RASP understands the request context. It recognizes when placeholders aren't being used and only blocks attacks when "SQL injection is actually possible." This context-aware approach results in fewer false positives and can even help mitigate zero-day vulnerabilities.
Implementing In-App WAF / RASP with Waffle in Go Applications
Waffle is a library that enables In-App WAF / RASP functionality in Go web applications.
Let's see how to integrate Waffle into your application and how it prevents attacks.
Example Application
While this example uses the standard library's net/http, Waffle also supports other libraries like Gin and GORM.
For more details, check out the Supported Libraries documentation.
The following application has a SQL injection vulnerability in the /login endpoint:
POST /blog/post HTTP/1.1
...
{
"title": "What is SQL ?"
"body": "SQL example code: `SELECT * FROM users` ..."
}
package main
import (
"context"
"database/sql"
"fmt"
"net/http"
_ "github.com/mattn/go-sqlite3"
)
var database *sql.DB
func init() {
setupDB()
}
func newHTTPHandler() http.Handler {
mux := http.NewServeMux()
mux.Handle("/login", http.HandlerFunc(loginController))
return mux
}
func main() {
srv := &http.Server{
Addr: ":8000",
Handler: newHTTPHandler(),
}
srv.ListenAndServe()
}
func loginController(w http.ResponseWriter, r *http.Request) {
email := r.FormValue("email")
password := r.FormValue("password")
if err := login(r.Context(), email, password); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Write([]byte("Login success"))
}
func login(ctx context.Context, email, password string) error {
// ⚠️ SQL INJECTION VULNERABILITY
rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password))
if err != nil {
return err
}
defer rows.Close()
if !rows.Next() {
return fmt.Errorf("invalid email or password")
}
// do something
return nil
}
func setupDB() {
db, err := sql.Open("sqlite3", "file::memory:?cache=shared")
if err != nil {
panic(err)
}
if _, err := db.Exec("CREATE TABLE users(id int, email text, password text);"); err != nil {
panic(err)
}
if _, err := db.Exec("INSERT INTO users(id, email, password) VALUES(1, 'user@example.com', 'password');"); err != nil {
panic(err)
}
database = db
}
Integrating Waffle to prevent SQL injection
Let's integrate Waffle to prevent SQL injection:
$ go run .
# SQL injection attack
$ curl -i -X POST 'http://localhost:8000/login' \
--data "email=user@example.com' OR 1=1--&password="
HTTP/1.1 200 OK
Date: Sun, 05 Jan 2025 10:32:50 GMT
Content-Length: 13
Content-Type: text/plain; charset=utf-8
Login success
Modify main.go as follows:
$ go get github.com/sitebatch/waffle-go
The changes are minimal:
package main
import (
"context"
"database/sql"
"errors"
"fmt"
"net/http"
"github.com/sitebatch/waffle-go"
"github.com/sitebatch/waffle-go/action"
waffleSQL "github.com/sitebatch/waffle-go/contrib/database/sql"
waffleHTTP "github.com/sitebatch/waffle-go/contrib/net/http"
_ "github.com/mattn/go-sqlite3"
)
var database *sql.DB
func init() {
setupDB()
}
func newHTTPHandler() http.Handler {
mux := http.NewServeMux()
mux.Handle("/login", http.HandlerFunc(loginController))
handler := waffleHTTP.WafMiddleware(mux)
return handler
}
func main() {
srv := &http.Server{
Addr: ":8000",
Handler: newHTTPHandler(),
}
// Start waffle with debug mode
waffle.Start(waffle.WithDebug())
srv.ListenAndServe()
}
func loginController(w http.ResponseWriter, r *http.Request) {
email := r.FormValue("email")
password := r.FormValue("password")
if err := login(r.Context(), email, password); err != nil {
var actionErr *action.BlockError
if errors.As(err, &actionErr) {
return
}
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Write([]byte("Login success"))
}
func login(ctx context.Context, email, password string) error {
// ⚠️ SQL INJECTION VULNERABILITY
rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password))
if err != nil {
return err
}
defer rows.Close()
if !rows.Next() {
return fmt.Errorf("invalid email or password")
}
// do something
return nil
}
func setupDB() {
db, err := waffleSQL.Open("sqlite3", "file::memory:?cache=shared")
if err != nil {
panic(err)
}
if _, err := db.Exec("CREATE TABLE users(id int, email text, password text);"); err != nil {
panic(err)
}
if _, err := db.Exec("INSERT INTO users(id, email, password) VALUES(1, 'user@example.com', 'password');"); err != nil {
panic(err)
}
database = db
}
Now when we try a SQL injection attack, Waffle blocks it:
diff --git a/main.go b/main.go
index 90b8197..9fefb06 100644
--- a/main.go
+++ b/main.go
@@ -3,9 +3,15 @@ package main
import (
"context"
"database/sql"
+ "errors"
"fmt"
"net/http"
+ "github.com/sitebatch/waffle-go"
+ "github.com/sitebatch/waffle-go/action"
+ waffleSQL "github.com/sitebatch/waffle-go/contrib/database/sql"
+ waffleHTTP "github.com/sitebatch/waffle-go/contrib/net/http"
+
_ "github.com/mattn/go-sqlite3"
)
@@ -19,7 +25,9 @@ func newHTTPHandler() http.Handler {
mux := http.NewServeMux()
mux.Handle("/login", http.HandlerFunc(loginController))
- return mux
+ handler := waffleHTTP.WafMiddleware(mux)
+
+ return handler
}
func main() {
@@ -28,6 +36,9 @@ func main() {
Handler: newHTTPHandler(),
}
+ // Start waffle with debug mode
+ waffle.Start(waffle.WithDebug())
+
srv.ListenAndServe()
}
@@ -36,6 +47,11 @@ func loginController(w http.ResponseWriter, r *http.Request) {
password := r.FormValue("password")
if err := login(r.Context(), email, password); err != nil {
+ var actionErr *action.BlockError
+ if errors.As(err, &actionErr) {
+ return
+ }
+
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
@@ -60,7 +76,7 @@ func login(ctx context.Context, email, password string) error {
}
func setupDB() {
- db, err := sql.Open("sqlite3", "file::memory:?cache=shared")
+ db, err := waffleSQL.Open("sqlite3", "file::memory:?cache=shared")
if err != nil {
panic(err)
}
This HTML is the error message returned by default by waffle and looks like this:
If using placeholders:
When using placeholders, Waffle recognizes that SQL injection isn't possible and won't block the request:
$ curl -i -X POST 'http://localhost:8000/login' \
--data "email=user@example.com' OR 1=1--&password=" -i
HTTP/1.1 403 Forbidden
Date: Sun, 05 Jan 2025 10:38:22 GMT
Content-Length: 1574
Content-Type: text/html; charset=utf-8
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Access Denied</title>
# Fix SQL injection vulnerability
diff --git a/main.go
b/main.go
index 9fefb06..5b482f2 100644
--- a/main.go
+++ b/main.go
@@ -60,7 +60,7 @@ func loginController(w http.ResponseWriter, r *http.Request) {
}
func login(ctx context.Context, email, password string) error {
- rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password))
+ rows, err := database.QueryContext(ctx, "SELECT * FROM users WHERE email = ? AND password = ?", email, password)
if err != nil {
return err
}
Note that even in this case, Waffle can still detect attempted SQL injection like a cloud-based WAF (though it won't block it):
# Waffle won't block the request since SQL injection isn't possible
$ curl -i -X POST 'http://localhost:8000/login' \
--data "email=user@example.com' OR 1=1--&password="
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Sun, 05 Jan 2025 10:49:05 GMT
Content-Length: 26
invalid email or password
Attacks Detected and Prevented by Waffle
While we've demonstrated SQL injection prevention, Waffle can detect and prevent various attacks:
- Reconnaissance by known security scanners
- Directory traversal
- XSS
- SQL injection
- Sensitive file access
- SSRF
- Account takeover
For more details, check out the Rule List documentation.
Rules are continuously updated, and contributions are welcome.
Conclusion
By integrating Waffle into your application, you can accurately detect and prevent attacks.
For framework-specific implementation guides and detailed usage instructions, refer to the Guides section in the documentation.
Waffle is under active development. We welcome feedback and contributions.
- https://github.com/sitebatch/waffle-go
The above is the detailed content of Introduction to Waffle: In-app WAF for Go Applications. For more information, please follow other related articles on the PHP Chinese website!
Understanding Goroutines: A Deep Dive into Go's ConcurrencyMay 01, 2025 am 12:18 AMGoroutinesarefunctionsormethodsthatrunconcurrentlyinGo,enablingefficientandlightweightconcurrency.1)TheyaremanagedbyGo'sruntimeusingmultiplexing,allowingthousandstorunonfewerOSthreads.2)Goroutinesimproveperformancethrougheasytaskparallelizationandeff
Understanding the init Function in Go: Purpose and UsageMay 01, 2025 am 12:16 AMThepurposeoftheinitfunctioninGoistoinitializevariables,setupconfigurations,orperformnecessarysetupbeforethemainfunctionexecutes.Useinitby:1)Placingitinyourcodetorunautomaticallybeforemain,2)Keepingitshortandfocusedonsimpletasks,3)Consideringusingexpl
Understanding Go Interfaces: A Comprehensive GuideMay 01, 2025 am 12:13 AMGointerfacesaremethodsignaturesetsthattypesmustimplement,enablingpolymorphismwithoutinheritanceforcleaner,modularcode.Theyareimplicitlysatisfied,usefulforflexibleAPIsanddecoupling,butrequirecarefulusetoavoidruntimeerrorsandmaintaintypesafety.
Recovering from Panics in Go: When and How to Use recover()May 01, 2025 am 12:04 AMUse the recover() function in Go to recover from panic. The specific methods are: 1) Use recover() to capture panic in the defer function to avoid program crashes; 2) Record detailed error information for debugging; 3) Decide whether to resume program execution based on the specific situation; 4) Use with caution to avoid affecting performance.
How do you use the "strings" package to manipulate strings in Go?Apr 30, 2025 pm 02:34 PMThe article discusses using Go's "strings" package for string manipulation, detailing common functions and best practices to enhance efficiency and handle Unicode effectively.
How do you use the "crypto" package to perform cryptographic operations in Go?Apr 30, 2025 pm 02:33 PMThe article details using Go's "crypto" package for cryptographic operations, discussing key generation, management, and best practices for secure implementation.Character count: 159
How do you use the "time" package to handle dates and times in Go?Apr 30, 2025 pm 02:32 PMThe article details the use of Go's "time" package for handling dates, times, and time zones, including getting current time, creating specific times, parsing strings, and measuring elapsed time.
How do you use the "reflect" package to inspect the type and value of a variable in Go?Apr 30, 2025 pm 02:29 PMArticle discusses using Go's "reflect" package for variable inspection and modification, highlighting methods and performance considerations.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 English version
Recommended: Win version, supports code prompts!
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
