GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → evilsocket → quijote

evilsocket / quijote

Licence: other
Quijote is an highly configurable HTTP middleware for API security.

Programming Languages

go
31211 projects - #10 most used programming language

Release Software License Travis Go Report Card

Quijote is an highly configurable HTTP middleware for web and API services in Go, aimed at detecting the low hanging fruits in terms of web attacks and therefore providing a basic layer of security. It might not detect the most sophisticated attacks, but damn, it will never stop trying! (And it's better than nothing?)

THIS PROJECT IS ACTIVELY BEING DEVELOPED, DO NOT USE IN PRODUCTION YET.

... but if you can help improving the rules, the code base, writing tests or whatever, all PRs are welcome! :D

Rules

The engine is compatible with every framework that supports Go's standard middleware structure and it's based on yaml rules that can be ether raw strings or regular expressions (and in the near future, javascript rules too), so that you can use it to detect basic attacks:

name: simple_xss_example
enabled: true
type: re
scope: '*'
parts:
  # just a tag
  - <[^>]+>
  # open tag with script
  - <[^>]+script:.+

Or as a blocklist for known offenders:

name: simple_blocklist
enabled: true
type: str
scope: ip
parts:
  # some bad ip!
  - 10.2.3.4
  # another
  - 12.34.56.78

For some example rules check the rules folder (doh!).

Others

The engine can operate in synchronous mode, thus blocking the request while the rules are being checked, or asynchronously dispatch a job on a queue without affecting the response times. It can also be configured a-la-fail2ban to ban offenders for a given amount of time after a given amount of attacks.

And it will also do CORS for you!

Example

import (
    ...
    "github.com/evilsocket/quijote/quijote"
    ...
)
...
...
// NOTE: this is for demonstration purposes and can just be replaced with:
// policy := quijote.DefaultPolicy()
policy := Policy{
	// where to load the rules from 
	RulesPath: "/etc/quijote/rules/",
	// whether or not to dump detections as JSON files for further investigation
	Dump:     true,
	DumpPath: "/var/log/quijote/detections/",
	// which mode to operate
	Synchronous: true,
	// this is used with an io.LimitReader so that it is not possible to DoS what we're protecting
	// by sending huge payloads that the JSON parser will try to parse because almost nobody ever
	// thinks to limit it :)
	MaxBodySize: 1024 * 1024 * 50, // 50MB
	// log incidents
	Report: true,
	// ban for an hour offending clients after 5 detections
	Ban:              true,
	BanMaxDetections: 5,
	BanDuration:      1 * time.Hour,
	// block offending requests
	Block: true,
	// what to do after blocking a request
	Redirect: Redirect{
		Code: http.StatusForbidden,
		Body: "Request blocked by Quijote (http://github.com/evilsocket/quijote).",
	},
	// do basic CORS
	CORS: CORS{
		Enabled:        true,
		AllowedOrigin:  "*",
		AllowedHeaders: "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization",
		AllowedMethods: "POST, GET, OPTIONS, PUT, DELETE",
	},
}

engine, err := quijote.NewEngine(policy)
if err != nil {
    log.Fatal("%v", err)
}

// or whatever framework you fancy ...
router := mux.NewRouter()

// that's all it takes to integrate!
router.Use(engine.Middleware)

router.HandleFunc("/", whatever)

License

Quijote is made with by @evilsocket and it is released under the GPL3 license.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].