Introduction
Web Application Firewalls (WAF) have long been a standard security solution for protecting web applications. Cloud-based WAFs like AWS WAF and Cloudflare WAF are particularly popular due to their ease of implementation. However, they come with several challenges:
- Limited understanding of application context
- High rate of false positives
- Restricted custom logic implementation
To address these challenges, a new approach called In-app WAF or RASP (Runtime Application Self-Protection) has been gaining attention.
In this post, I'll introduce Waffle, a library for integrating In-app WAF capabilities into Go web applications.
- https://sitebatch.github.io/waffle-website
- https://github.com/sitebatch/waffle-go
What is In-app WAF / RASP?
In-app WAF/RASP is not meant to replace existing cloud WAFs but rather to complement them by embedding WAF functionality directly into your application for enhanced protection.
It can handle common web application attacks like SQL injection and XSS, as well as application business logic attacks such as credential stuffing and brute force attempts.
The key advantage is accurate detection and prevention through complete request context awareness.
Consider this HTTP request for creating a blog post:
POST /blog/post HTTP/1.1
...
{
"title": "What is SQL ?"
"body": "SQL example code: `SELECT * FROM users` ..."
}
If your application uses placeholders to safely construct SQL statements, SQL injection isn't possible. However, cloud-based WAFs that rely on pattern matching would block this request because it contains suspicious SQL-like patterns (the string SELECT * FROM raises SQL injection concerns).
Developers often find themselves tediously adjusting parameters, endpoints, or WAF rules to reduce these false positives. What a cumbersome task!
In contrast, In-app WAF / RASP understands the request context. It recognizes when placeholders aren't being used and only blocks attacks when "SQL injection is actually possible." This context-aware approach results in fewer false positives and can even help mitigate zero-day vulnerabilities.
Implementing In-App WAF / RASP with Waffle in Go Applications
Waffle is a library that enables In-App WAF / RASP functionality in Go web applications.
Let's see how to integrate Waffle into your application and how it prevents attacks.
Example Application
While this example uses the standard library's net/http, Waffle also supports other libraries like Gin and GORM.
For more details, check out the Supported Libraries documentation.
The following application has a SQL injection vulnerability in the /login endpoint:
POST /blog/post HTTP/1.1
...
{
"title": "What is SQL ?"
"body": "SQL example code: `SELECT * FROM users` ..."
}
package main
import (
"context"
"database/sql"
"fmt"
"net/http"
_ "github.com/mattn/go-sqlite3"
)
var database *sql.DB
func init() {
setupDB()
}
func newHTTPHandler() http.Handler {
mux := http.NewServeMux()
mux.Handle("/login", http.HandlerFunc(loginController))
return mux
}
func main() {
srv := &http.Server{
Addr: ":8000",
Handler: newHTTPHandler(),
}
srv.ListenAndServe()
}
func loginController(w http.ResponseWriter, r *http.Request) {
email := r.FormValue("email")
password := r.FormValue("password")
if err := login(r.Context(), email, password); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Write([]byte("Login success"))
}
func login(ctx context.Context, email, password string) error {
// ?? SQL INJECTION VULNERABILITY
rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password))
if err != nil {
return err
}
defer rows.Close()
if !rows.Next() {
return fmt.Errorf("invalid email or password")
}
// do something
return nil
}
func setupDB() {
db, err := sql.Open("sqlite3", "file::memory:?cache=shared")
if err != nil {
panic(err)
}
if _, err := db.Exec("CREATE TABLE users(id int, email text, password text);"); err != nil {
panic(err)
}
if _, err := db.Exec("INSERT INTO users(id, email, password) VALUES(1, 'user@example.com', 'password');"); err != nil {
panic(err)
}
database = db
}
Integrating Waffle to prevent SQL injection
Let's integrate Waffle to prevent SQL injection:
$ go run .
# SQL injection attack
$ curl -i -X POST 'http://localhost:8000/login' \
--data "email=user@example.com' OR 1=1--&password="
HTTP/1.1 200 OK
Date: Sun, 05 Jan 2025 10:32:50 GMT
Content-Length: 13
Content-Type: text/plain; charset=utf-8
Login success
Modify main.go as follows:
$ go get github.com/sitebatch/waffle-go
The changes are minimal:
package main
import (
"context"
"database/sql"
"errors"
"fmt"
"net/http"
"github.com/sitebatch/waffle-go"
"github.com/sitebatch/waffle-go/action"
waffleSQL "github.com/sitebatch/waffle-go/contrib/database/sql"
waffleHTTP "github.com/sitebatch/waffle-go/contrib/net/http"
_ "github.com/mattn/go-sqlite3"
)
var database *sql.DB
func init() {
setupDB()
}
func newHTTPHandler() http.Handler {
mux := http.NewServeMux()
mux.Handle("/login", http.HandlerFunc(loginController))
handler := waffleHTTP.WafMiddleware(mux)
return handler
}
func main() {
srv := &http.Server{
Addr: ":8000",
Handler: newHTTPHandler(),
}
// Start waffle with debug mode
waffle.Start(waffle.WithDebug())
srv.ListenAndServe()
}
func loginController(w http.ResponseWriter, r *http.Request) {
email := r.FormValue("email")
password := r.FormValue("password")
if err := login(r.Context(), email, password); err != nil {
var actionErr *action.BlockError
if errors.As(err, &actionErr) {
return
}
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Write([]byte("Login success"))
}
func login(ctx context.Context, email, password string) error {
// ?? SQL INJECTION VULNERABILITY
rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password))
if err != nil {
return err
}
defer rows.Close()
if !rows.Next() {
return fmt.Errorf("invalid email or password")
}
// do something
return nil
}
func setupDB() {
db, err := waffleSQL.Open("sqlite3", "file::memory:?cache=shared")
if err != nil {
panic(err)
}
if _, err := db.Exec("CREATE TABLE users(id int, email text, password text);"); err != nil {
panic(err)
}
if _, err := db.Exec("INSERT INTO users(id, email, password) VALUES(1, 'user@example.com', 'password');"); err != nil {
panic(err)
}
database = db
}
Now when we try a SQL injection attack, Waffle blocks it:
diff --git a/main.go b/main.go
index 90b8197..9fefb06 100644
--- a/main.go
+++ b/main.go
@@ -3,9 +3,15 @@ package main
import (
"context"
"database/sql"
+ "errors"
"fmt"
"net/http"
+ "github.com/sitebatch/waffle-go"
+ "github.com/sitebatch/waffle-go/action"
+ waffleSQL "github.com/sitebatch/waffle-go/contrib/database/sql"
+ waffleHTTP "github.com/sitebatch/waffle-go/contrib/net/http"
+
_ "github.com/mattn/go-sqlite3"
)
@@ -19,7 +25,9 @@ func newHTTPHandler() http.Handler {
mux := http.NewServeMux()
mux.Handle("/login", http.HandlerFunc(loginController))
- return mux
+ handler := waffleHTTP.WafMiddleware(mux)
+
+ return handler
}
func main() {
@@ -28,6 +36,9 @@ func main() {
Handler: newHTTPHandler(),
}
+ // Start waffle with debug mode
+ waffle.Start(waffle.WithDebug())
+
srv.ListenAndServe()
}
@@ -36,6 +47,11 @@ func loginController(w http.ResponseWriter, r *http.Request) {
password := r.FormValue("password")
if err := login(r.Context(), email, password); err != nil {
+ var actionErr *action.BlockError
+ if errors.As(err, &actionErr) {
+ return
+ }
+
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
@@ -60,7 +76,7 @@ func login(ctx context.Context, email, password string) error {
}
func setupDB() {
- db, err := sql.Open("sqlite3", "file::memory:?cache=shared")
+ db, err := waffleSQL.Open("sqlite3", "file::memory:?cache=shared")
if err != nil {
panic(err)
}
This HTML is the error message returned by default by waffle and looks like this:
If using placeholders:
When using placeholders, Waffle recognizes that SQL injection isn't possible and won't block the request:
$ curl -i -X POST 'http://localhost:8000/login' \
--data "email=user@example.com' OR 1=1--&password=" -i
HTTP/1.1 403 Forbidden
Date: Sun, 05 Jan 2025 10:38:22 GMT
Content-Length: 1574
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Access Denied</title>
# Fix SQL injection vulnerability
diff --git a/main.go
b/main.go
index 9fefb06..5b482f2 100644
--- a/main.go
+++ b/main.go
@@ -60,7 +60,7 @@ func loginController(w http.ResponseWriter, r *http.Request) {
}
func login(ctx context.Context, email, password string) error {
- rows, err := database.QueryContext(ctx, fmt.Sprintf("SELECT * FROM users WHERE email = '%s' AND password = '%s'", email, password))
+ rows, err := database.QueryContext(ctx, "SELECT * FROM users WHERE email = ? AND password = ?", email, password)
if err != nil {
return err
}
Note that even in this case, Waffle can still detect attempted SQL injection like a cloud-based WAF (though it won't block it):
# Waffle won't block the request since SQL injection isn't possible
$ curl -i -X POST 'http://localhost:8000/login' \
--data "email=user@example.com' OR 1=1--&password="
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Sun, 05 Jan 2025 10:49:05 GMT
Content-Length: 26
invalid email or password
Attacks Detected and Prevented by Waffle
While we've demonstrated SQL injection prevention, Waffle can detect and prevent various attacks:
- Reconnaissance by known security scanners
- Directory traversal
- XSS
- SQL injection
- Sensitive file access
- SSRF
- Account takeover
For more details, check out the Rule List documentation.
Rules are continuously updated, and contributions are welcome.
Conclusion
By integrating Waffle into your application, you can accurately detect and prevent attacks.
For framework-specific implementation guides and detailed usage instructions, refer to the Guides section in the documentation.
Waffle is under active development. We welcome feedback and contributions.
- https://github.com/sitebatch/waffle-go
The above is the detailed content of Introduction to Waffle: In-app WAF for Go Applications. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Is golang frontend or backend
Jul 08, 2025 am 01:44 AM
Golang is mainly used for back-end development, but it can also play an indirect role in the front-end field. Its design goals focus on high-performance, concurrent processing and system-level programming, and are suitable for building back-end applications such as API servers, microservices, distributed systems, database operations and CLI tools. Although Golang is not the mainstream language for web front-end, it can be compiled into JavaScript through GopherJS, run on WebAssembly through TinyGo, or generate HTML pages with a template engine to participate in front-end development. However, modern front-end development still needs to rely on JavaScript/TypeScript and its ecosystem. Therefore, Golang is more suitable for the technology stack selection with high-performance backend as the core.
How to build a GraphQL API in golang
Jul 08, 2025 am 01:03 AM
To build a GraphQLAPI in Go, it is recommended to use the gqlgen library to improve development efficiency. 1. First select the appropriate library, such as gqlgen, which supports automatic code generation based on schema; 2. Then define GraphQLschema, describe the API structure and query portal, such as defining Post types and query methods; 3. Then initialize the project and generate basic code to implement business logic in resolver; 4. Finally, connect GraphQLhandler to HTTPserver and test the API through the built-in Playground. Notes include field naming specifications, error handling, performance optimization and security settings to ensure project maintenance
How to install Go
Jul 09, 2025 am 02:37 AM
The key to installing Go is to select the correct version, configure environment variables, and verify the installation. 1. Go to the official website to download the installation package of the corresponding system. Windows uses .msi files, macOS uses .pkg files, Linux uses .tar.gz files and unzip them to /usr/local directory; 2. Configure environment variables, edit ~/.bashrc or ~/.zshrc in Linux/macOS to add PATH and GOPATH, and Windows set PATH to Go in the system properties; 3. Use the government command to verify the installation, and run the test program hello.go to confirm that the compilation and execution are normal. PATH settings and loops throughout the process
Go sync.WaitGroup example
Jul 09, 2025 am 01:48 AM
sync.WaitGroup is used to wait for a group of goroutines to complete the task. Its core is to work together through three methods: Add, Done, and Wait. 1.Add(n) Set the number of goroutines to wait; 2.Done() is called at the end of each goroutine, and the count is reduced by one; 3.Wait() blocks the main coroutine until all tasks are completed. When using it, please note: Add should be called outside the goroutine, avoid duplicate Wait, and be sure to ensure that Don is called. It is recommended to use it with defer. It is common in concurrent crawling of web pages, batch data processing and other scenarios, and can effectively control the concurrency process.
Go embed package tutorial
Jul 09, 2025 am 02:46 AM
Using Go's embed package can easily embed static resources into binary, suitable for web services to package HTML, CSS, pictures and other files. 1. Declare the embedded resource to add //go:embed comment before the variable, such as embedding a single file hello.txt; 2. It can be embedded in the entire directory such as static/*, and realize multi-file packaging through embed.FS; 3. It is recommended to switch the disk loading mode through buildtag or environment variables to improve efficiency; 4. Pay attention to path accuracy, file size limitations and read-only characteristics of embedded resources. Rational use of embed can simplify deployment and optimize project structure.
Go for Audio/Video Processing
Jul 20, 2025 am 04:14 AM
The core of audio and video processing lies in understanding the basic process and optimization methods. 1. The basic process includes acquisition, encoding, transmission, decoding and playback, and each link has technical difficulties; 2. Common problems such as audio and video aberration, lag delay, sound noise, blurred picture, etc. can be solved through synchronous adjustment, coding optimization, noise reduction module, parameter adjustment, etc.; 3. It is recommended to use FFmpeg, OpenCV, WebRTC, GStreamer and other tools to achieve functions; 4. In terms of performance management, we should pay attention to hardware acceleration, reasonable setting of resolution frame rates, control concurrency and memory leakage problems. Mastering these key points will help improve development efficiency and user experience.
How to build a web server in Go
Jul 15, 2025 am 03:05 AM
It is not difficult to build a web server written in Go. The core lies in using the net/http package to implement basic services. 1. Use net/http to start the simplest server: register processing functions and listen to ports through a few lines of code; 2. Routing management: Use ServeMux to organize multiple interface paths for easy structured management; 3. Common practices: group routing by functional modules, and use third-party libraries to support complex matching; 4. Static file service: provide HTML, CSS and JS files through http.FileServer; 5. Performance and security: enable HTTPS, limit the size of the request body, and set timeout to improve security and performance. After mastering these key points, it will be easier to expand functionality.
Go select with default case
Jul 14, 2025 am 02:54 AM
The purpose of select plus default is to allow select to perform default behavior when no other branches are ready to avoid program blocking. 1. When receiving data from the channel without blocking, if the channel is empty, it will directly enter the default branch; 2. In combination with time. After or ticker, try to send data regularly. If the channel is full, it will not block and skip; 3. Prevent deadlocks, avoid program stuck when uncertain whether the channel is closed; when using it, please note that the default branch will be executed immediately and cannot be abused, and default and case are mutually exclusive and will not be executed at the same time.
