{"id":14637823,"url":"https://github.com/chaitin/blazehttp","last_synced_at":"2025-05-16T18:09:42.428Z","repository":{"id":163307885,"uuid":"638759845","full_name":"chaitin/blazehttp","owner":"chaitin","description":"BlazeHTTP 是一款简单易用的 WAF 防护效果测试工具。BlazeHTTP stands as a user-friendly WAF protection efficacy evaluation tool.","archived":false,"fork":false,"pushed_at":"2024-07-01T08:29:37.000Z","size":39199,"stargazers_count":816,"open_issues_count":16,"forks_count":94,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-05-16T18:09:35.886Z","etag":null,"topics":["benchmark","bypass","http-parser","waf","waf-test","web-application-firewall"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chaitin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-10T03:36:23.000Z","updated_at":"2025-05-16T08:01:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"80c12a95-837c-4f13-942c-5d74afeb45c1","html_url":"https://github.com/chaitin/blazehttp","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fblazehttp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fblazehttp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fblazehttp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fblazehttp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chaitin","download_url":"https://codeload.github.com/chaitin/blazehttp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254582907,"owners_count":22095518,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["benchmark","bypass","http-parser","waf","waf-test","web-application-firewall"],"created_at":"2024-09-10T02:01:17.014Z","updated_at":"2025-05-16T18:09:37.418Z","avatar_url":"https://github.com/chaitin.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"https://github.com/chaitin/blazehttp/assets/30664688/746026da-6b2f-4f9c-86f1-1e3cb129ca22\" width=\"120\"/\u003e\n\u003c/div\u003e\n\u003ch1 align=\"center\"\u003eBlazeHTTP\u003c/h1\u003e\n\u003ch4 align=\"center\"\u003e\u003cstrong\u003e简体中文\u003c/strong\u003e | \u003ca href=\"https://github.com/chaitin/blazehttp/blob/master/README_EN.md\"\u003e\nEnglish\u003c/a\u003e\u003c/h4\u003e\n\nBlazeHTTP 是一款简单易用的 WAF **防护效果测试**工具。\n\n- 📦 **样本丰富**：目前总样本**33669**条，持续更新中...\n- 🚀 **无需配置**：提供**图形化界面**和命令行版本，可直接通过 Release 下载预编译版本，也可以克隆代码本地自行编译\n- 📖 **报告导出**：导出所有样本的执行结果，包括样本属性，执行时间，状态码，是否拦截等\n\n## 测试指标\n\n|  指标   | 描述  | 统计方法  |\n|  ----  | ----  | ----  |\n| 检出率  | 用来反应 WAF 检测能力的全面性，没有检出即为 ”漏报“。 | 攻击样本拦截数量  |\n| 误报率  | 用来反应对正常流量的干扰，不靠谱的结果即为 ”误报“。 | 正常样本拦截数量 |\n| 准确率  | 准确率是检出率和误报率的综合指标，避免漏报和误报顾此失彼。 |  |\n| 检测耗时  | 用来反应 WAF 性能，耗时越大则性能越差。 |  |\n\n## 样本示例\n\n```bash\n# 正常样本：testcases/00/02/5ebf56a710da27b73a9ad59219f0.white\nGET /rc-virtual-list@3.5.2/lib/hooks/useHeights.js HTTP/1.1\nHost: npm.staticblitz.com\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\nAccept: */*\nOrigin: https://stackblitz.com\nSec-Fetch-Site: cross-site\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nReferer: https://stackblitz.com/\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7\n\n# 黑样本：testcases/8a/36/0bbc7685860c526e33f3cbd83f9c.black\nGET /vulnerabilities/sqli_blind/?id=1%27+or+%27%27%3D%27\u0026Submit=Submit HTTP/1.1\nHost: 10.10.3.128\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://10.10.3.128/vulnerabilities/sqli_blind/?id=1%27+and+%27%27%3D%27\u0026Submit=Submit\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7\nConnection: close\n```\n\n## 测试效果\n\n### [CloudFlare](https://www.cloudflare.com/) vs [ModSecurity](https://github.com/owasp-modsecurity/ModSecurity) vs [雷池](https://waf.chaitin.cn)\n\n| 指标 | CloudFlare，免费版本 | ModSecurity，PARANOIA级别1 | ModSecurity，PARANOIA级别4 | SafeLine，免费版本，平衡模式 | SafeLine，免费版本，严格模式 |\n| --- | --- | --- | --- | --- | --- |\n| 总样本数量 | 33669 | 33669 | 33669 | 33669 | 33669 |\n| 成功 | 33350 | 33669 | 33669 | 33669 | 33669 |\n| 错误 | 319 | 0 | 0 | 0 | 0 |\n| **检测率（越高越好）** | 10.70%（恶意样本总数：570，正确拦截：61，漏报：509） | 69.74%（恶意样本总数：575，正确拦截：401，漏报：174） | 🏆 **94.61%**（恶意样本总数：575，正确拦截：544，漏报：31） | 71.65%（恶意样本总数：575，正确拦截：412，漏报：163） | 76.17%（恶意样本总数：575，正确拦截：438，漏报：137） |\n| **误报率（越低越好）** | 0.07%（正常样本总数：32780，正确放行：32757，误报：23） | 17.58%（正常样本总数：33094，正确放行：27275，误报：5819） | 52.46%（正常样本总数：33094，正确放行：15732，误报：17362） | 🏆 **0.07%**（正常样本总数：33094，正确放行：33071，误报：23） | 0.22%（正常样本总数：33094，正确放行：33021，误报：73） |\n| **准确率（越高越好）** | 98.40%（正确拦截 + 正确放行）/ 总样本数量 | 82.20%（正确拦截 + 正确放行）/ 总样本数量 | 48.34%（正确拦截 + 正确放行）/ 总样本数量 | 🏆 **99.45%**（正确拦截 + 正确放行）/ 总样本数量 | 99.38%（正确拦截 + 正确放行）/ 总样本数量 |\n| 平均时间 | 288.96 毫秒 | 31.15 毫秒 | 28.89 毫秒 | 70.05 毫秒 | 64.34 毫秒 |\n\n## 安装使用\n\n**Docker 容器运行**\n\n```bash\n# 下载镜像\ndocker pull chaitin/blazehttp:latest\n# 开始测试 http://127.0.0.1:9444 是 WAF 的地址 (根据实际情况修改)\ndocker run --rm --net=host chaitin/blazehttp:latest /app/blazehttp -t \u003chttp://127.0.0.1:9444\u003e\n```\n\nGitHub CI 预编译的产物已上传 Release，可以[直接下载](https://github.com/chaitin/blazehttp/releases)最新的版本使用。\n\n**命令行运行**\n\n![blazehttp_cmd](https://github.com/chaitin/blazehttp/assets/30664688/7be052e9-2dfb-4f96-a6f2-eb2a0251910e)\n\n**GUI 运行** (MacOS \u0026 Windows)\n\n\u003e 如果 MacOS 双击打开报错**不受信任**或者**移到垃圾箱**，执行下面命令后再启动即可：\n\u003e ``` bash\n\u003e sudo xattr -d com.apple.quarantine blazehttp_1.0.0_darwin_arm64.app\n\u003e ```\n\n![gui](https://github.com/chaitin/blazehttp/assets/30664688/dee16f13-8fef-413e-89c8-515b91c52c7a)\n\n## 本地编译\n\n项目只依赖了 Go 语言，首先你的环境上需要有 Go，可以在[这里](https://go.dev/dl/)下载\n\n### 命令行版本\n\n```bash\n# 克隆代码\ngit clone https://github.com/chaitin/blazehttp.git \u0026\u0026 cd blazehttp\n# 本地编译\nbash build.sh # 执行后在 build 目录下看到 blazehttp\n# 运行\n./blazehttp -t https://example.org\n```\n\n### GUI 版本\n\nGUI 是基于 [fyne](https://github.com/fyne-io/fyne) 实现。\n\n```bash\n# 克隆代码\ngit clone https://github.com/chaitin/blazehttp.git \u0026\u0026 cd blazehttp\n# 本地运行\ngo run gui/main.go\n```\n\n\u003cimg width=\"810\" alt=\"image\" src=\"https://github.com/chaitin/blazehttp/assets/30664688/3d7f90aa-eb6d-43b0-adea-251114c6ea43\"\u003e\n\n\u003e 如果需要本地打包，可以参考 fyne 的[打包文档](https://docs.fyne.io/started/packaging)\n\u003e 如果需要跨平台打包，也可以参考 [fyne-cross](https://docs.fyne.io/started/cross-compiling)\n\n## 贡献代码\n\n期待大佬们的贡献，添加新样本，新功能，修复 Bug，优化性能等等等等都非常欢迎👏\n\n## Star\n\n用起来还不错的话，帮忙点个 Star ✨\n","funding_links":[],"categories":["Web安全","Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchaitin%2Fblazehttp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchaitin%2Fblazehttp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchaitin%2Fblazehttp/lists"}