waf-detection 0.2.0

Detection modules (SQLi, XSS, RCE, traversal, SSRF, XXE, and more) and the scope-aware fast-path prefilter for Light WAF.
Documentation

waf-detection

The detection modules for Light WAF — a fast, modular Layer-7 Web Application Firewall reverse proxy in Rust.

Each module is a WafModule carrying its rule tables (*_RULES), toggled independently from config ([modules.*]).

Modules

  • Content injectionsqli, xss, rce (incl. command injection in the URL path, expression-language / SpEL, VBScript-ASP webshell), ldap, nosql, mail (SMTP/IMAP), ssti, ssi, xxe, lfi_rfi, ssrf.
  • Structural / transportpath_traversal, header_injection (CRLF), request_smuggling (CL/TE framing), graphql (depth/alias/field/batch caps + introspection), grpc (message size / field count / nesting depth caps).
  • Reputation / abusescanner (sqlmap/nuclei/OpenVAS/ffuf + OOB domains), rate_limit (L7 token bucket over the StateStore).
  • Importcrs: an OWASP CRS / ModSecurity seclang parser + subset evaluator that runs imported SecRule files as a module ([modules.crs]).

Fast-path prefilter

ContentPrefilter is a scope-aware, RegexSet-backed gate that decides whether any rule could match a request; provably benign traffic skips full inspection entirely. ReDoS is impossible by construction (linear-time regex, no backtracking). Worst-case inspection latency is ~2 µs at paranoia level 3.

Part of Light WAF

Crate Role
waf-core Base types: Config, Decision, RequestContext, the WafModule contract, the StateStore seam
waf-normalizer Request normalization: decode + NFKC + body/query/cookie parsing + limits
waf-pipeline Phased orchestrator + cumulative anomaly scoring
waf-detection Detection modules (SQLi/XSS/RCE/…) + fast-path prefilter
waf-wasm Proxy-Wasm runtime (wasmi) loading .wasm filters as modules
waf-proxy The waf binary: hyper/tokio reverse proxy

See the repository for the full architecture.

License

Apache-2.0 — see LICENSE and NOTICE.