• Stars
    star
    585
  • Rank 76,419 (Top 2 %)
  • Language
    Go
  • License
    Mozilla Public Li...
  • Created over 3 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.

Open Source API Firewall by Wallarm Black Hat Arsenal USA 2022

API Firewall is a high-performance proxy with API request and response validation based on OpenAPI/Swagger schema. It is designed to protect REST API endpoints in cloud-native environments. API Firewall provides API hardening with the use of a positive security model allowing calls that match a predefined API specification for requests and responses, while rejecting everything else.

The key features of API Firewall are:

  • Secure REST API endpoints by blocking malicious requests
  • Stop API data breaches by blocking malformed API responses
  • Discover Shadow API endpoints
  • Validate JWT access tokens for OAuth 2.0 protocol-based authentication
  • (NEW) Denylist compromised API tokens, keys, and Cookies

The product is open source, available at DockerHub and already got 1 billion (!!!) pulls. To support this project, you can star the repository.

Use cases

Running in blocking mode

  • Block malicious requests that do not match the OpenAPI 3.0 specification
  • Block malformed API responses to stop data breaches and sensitive information exposure

Running in monitoring mode

  • Discover Shadow APIs and undocumented API endpoints
  • Log malformed requests and responses that do not match the OpenAPI 3.0 specification

API schema validation and positive security model

When starting API Firewall, you should provide the OpenAPI 3.0 specification of the application to be protected with API Firewall. The started API Firewall will operate as a reverse proxy and validate whether requests and responses match the schema defined in the specification.

The traffic that does not match the schema will be logged using the STDOUT and STDERR Docker services or blocked (depending on the configured API Firewall operation mode). When operating in the logging mode, API Firewall also logs so-called shadow API endpoints, those that are not covered in API specification but respond to requests (except for endpoints returning the code 404).

API Firewall scheme

OpenAPI 3.0 specification is supported and should be provided as a YAML or JSON file (.yaml, .yml, .json file extensions).

By allowing you to set the traffic requirements with the OpenAPI 3.0 specification, API Firewall relies on a positive security model.

Technical data

API Firewall works as a reverse proxy with a built-in OpenAPI 3.0 request and response validator. It's written in Golang and using fasthttp proxy. The project is optimized for extreme performance and near-zero added latency.

Starting API Firewall

To download, install, and start API Firewall on Docker, see the instructions.

Demos

You can try API Firewall by running the demo environment that deploys an example application protected with API Firewall. There are two available demo environments:

Wallarm's blog articles related to API Firewall

Performance

When creating API Firewall, we prioritized speed and efficiency to ensure that our customers would have the fastest APIs possible. Our latest tests demonstrate that the average time required for API Firewall to process one request is 1.339 ms which is 66% faster than Nginx:

API Firewall 0.6.2 with JSON validation

$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1:8282/test/signup

Requests per second:    13005.81 [#/sec] (mean)
Time per request:       15.378 [ms] (mean)
Time per request:       0.077 [ms] (mean, across all concurrent requests)

NGINX 1.18.0 without JSON validation

$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1/test/signup

Requests per second:    7887.76 [#/sec] (mean)
Time per request:       25.356 [ms] (mean)
Time per request:       0.127 [ms] (mean, across all concurrent requests)

These performance results are not the only ones we have got during API Firewall testing. Other results along with the methods used to improve API Firewall performance are described in this Wallarm's blog article.

More Repositories

1

gotestwaf

An open-source project in Golang to asess different API Security tools and WAF for detection logic and bypasses
Go
1,532
star
2

awesome-nginx-security

πŸ”₯ A curated list of awesome links related to application security related to the environments with NGINX or Kubernetes Ingres Controller (based on NGINX)
728
star
3

jwt-secrets

704
star
4

nascell-automl

Python
253
star
5

jwt-heartbreaker

The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
Java
121
star
6

libdetection

Signature-free approach library to detect injection and commanding attacks
C
86
star
7

fast-detects

42
star
8

ingress

Kubernetes Ingress controller with integrated Wallarm services
Go
38
star
9

docker-wallarm-node

⚑️ Official docker image for Wallarm Node. API security platform agent.
Shell
32
star
10

wallnet

Open-source code to support BSides 2019's talk: Bye-Bye False Positives: Using AI to Improve Detection
Python
20
star
11

sysbindings

sysctl/sysfs settings on a fly for Kubernetes Cluster. No restarts are required for clusters and nodes.
Python
20
star
12

pgbouncer-chart

Helm chart to deploy pgbouncer connection pooler to Kubernetes
Mustache
15
star
13

neuraldrugs

AI.drugs
Python
14
star
14

researches

PHP
12
star
15

product-documentation

Wallarm Product Documentation
CSS
10
star
16

ingress-plus

Wallarm WAF for Kubernetes NGINX Plus Ingress Controller
Go
5
star
17

terraform-provider-wallarm

Terraform provider for Wallarm
Go
5
star
18

sidecar

Kubernetes Sidecar schema of Wallarm API Security deployment
Go
4
star
19

ingress-chart

Mustache
4
star
20

owasp-top-10-2022

Statistical approach to build OWASP Top Ten. This repository includes code, data and calculation methodology.
Python
4
star
21

helm-charts

Wallarm public charts repository
HTML
3
star
22

heartbleed.py

forked from https://gist.github.com/eelsivart/10174134
Python
3
star
23

api-firewall-docker

Shell
3
star
24

neural

2
star
25

wallarm-api-examples

Very basic examples of Wallarm API usage
Python
2
star
26

cert-headers

The list of possible HTTP headers used to store client certificate information
2
star
27

terraform-example

HCL
2
star
28

oob-ebpf

Wallarm out of band for Kubernetes based on eBPF
Smarty
2
star
29

wallarm-go

Go
1
star
30

heroku-buildpack-wallarm-node

Heroku buildpack for Wallarm
Shell
1
star
31

fast-jenkins-plugin

Run Wallarm security tests in your Jenkins pipeline
Java
1
star
32

terraform-aws-wallarm

Module for deploying Wallarm on AWS using Terraform
HCL
1
star
33

kong-docker

Lua
1
star