报告由 BlazeHTTP 与 jxwaf-test 测试生成
BlazeHTTP 项目地址: https://github.com/jxwaf/blazehttp
jxwaf-test 项目地址: https://github.com/jxwaf/jxwaf-test
jxwaf-test 测试样本来源: PayloadsAllTheThings
基于 BlazeHTTP 引擎对多款 WAF 进行测试,各项指标如下:
| 指标 | CloudFlare
免费版 | ModSecurity
PARANOIA 1 | SafeLine
免费·平衡 | JXWAF 标准版
官方免费模型 | JXWAF 标准版
私有部署模型 |
|---|
| 总样本数 | 33,669 | 33,669 | 33,669 | 33,877 | 33,877 |
| 成功 / 错误 | 33,350 / 319 | 33,669 / 0 | 33,669 / 0 | 33,877 / 0 | 33,877 / 0 |
| 检出率 ↑ | 10.70% | 69.74% | 71.65% | 71.28% | 69.91% |
| 误报率 ↓ | 0.07% | 17.58% | 0.07% | 0.64% | 0.20% |
| 准确率 ↑ | 98.40% | 82.20% | 99.45% | 98.81% | 99.22% |
注:CloudFlare、ModSecurity、SafeLine 数据来自 BlazeHTTP GitHub 仓库公开发布的测试结果。
| WAF | 恶意样本 | 拦截 | 漏报 | 检出率 |
|---|
| CloudFlare 免费版 | 570 | 61 | 509 | 10.70% |
| ModSecurity PARANOIA 1 | 575 | 401 | 174 | 69.74% |
| SafeLine 免费·平衡 | 575 | 412 | 163 | 71.65% |
| JXWAF 标准版·官方免费模型 | 658 | 469 | 189 | 71.28% |
| JXWAF 标准版·私有部署模型 | 658 | 460 | 198 | 69.91% |
| WAF | 正常样本 | 放行 | 误报 | 误报率 |
|---|
| CloudFlare 免费版 | 32,780 | 32,757 | 23 | 0.07% |
| ModSecurity PARANOIA 1 | 33,094 | 27,275 | 5,819 | 17.58% |
| SafeLine 免费·平衡 | 33,094 | 33,071 | 23 | 0.07% |
| JXWAF 标准版·官方免费模型 | 33,219 | 33,005 | 214 | 0.64% |
| JXWAF 标准版·私有部署模型 | 33,219 | 33,154 | 65 | 0.20% |
测试基于 PayloadsAllTheThings(GitHub 78.1k Star)生成的 477 项测试项目,覆盖 36 种攻击分类。详情可在 jxwaf-test 仓库 中查看。
| 指标 | 数值 |
|---|
| 目标地址 | http://dev.jxwaf.com/account_init_check |
| 测试分类数 | 36 |
| 测试项目总数 | 477 |
| 成功拦截 | 461 |
| 漏报 | 16 |
| 请求异常 | 0 |
| 综合通过率 | 96.6% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| sql injection | 24 | 24 | 0 | 100.0% |
| mysql injection | 17 | 17 | 0 | 100.0% |
| mssql injection | 19 | 19 | 0 | 100.0% |
| postgresql injection | 18 | 18 | 0 | 100.0% |
| oracle injection | 17 | 17 | 0 | 100.0% |
| sqlite injection | 10 | 10 | 0 | 100.0% |
| 小计 | 105 | 105 | 0 | 100.0% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| xss | 22 | 22 | 0 | 100.0% |
| xss by context | 15 | 15 | 0 | 100.0% |
| 小计 | 37 | 37 | 0 | 100.0% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| command injection | 20 | 19 | 1 | 95.0% |
| 小计 | 20 | 19 | 1 | 95.0% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| file inclusion | 11 | 11 | 0 | 100.0% |
| directory traversal | 12 | 12 | 0 | 100.0% |
| file upload | 16 | 16 | 0 | 100.0% |
| 小计 | 39 | 39 | 0 | 100.0% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| ssti | 18 | 18 | 0 | 100.0% |
| xxe | 14 | 14 | 0 | 100.0% |
| ssi injection | 12 | 12 | 0 | 100.0% |
| xpath injection | 13 | 13 | 0 | 100.0% |
| xslt injection | 12 | 12 | 0 | 100.0% |
| 小计 | 69 | 69 | 0 | 100.0% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| java php dotnet deserialization | 7 | 7 | 0 | 100.0% |
| java deserialization | 11 | 11 | 0 | 100.0% |
| php deserialization | 6 | 6 | 0 | 100.0% |
| python deserialization | 7 | 7 | 0 | 100.0% |
| dotnet deserialization | 4 | 4 | 0 | 100.0% |
| nodejs deserialization | 6 | 6 | 0 | 100.0% |
| ruby deserialization | 3 | 3 | 0 | 100.0% |
| 小计 | 44 | 44 | 0 | 100.0% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| waf bypass sqli | 20 | 20 | 0 | 100.0% |
| waf bypass sqli db | 16 | 16 | 0 | 100.0% |
| waf bypass xss | 19 | 19 | 0 | 100.0% |
| waf bypass command | 18 | 18 | 0 | 100.0% |
| waf bypass path | 11 | 10 | 1 | 90.9% |
| waf bypass lfi | 9 | 9 | 0 | 100.0% |
| waf bypass xxe | 11 | 11 | 0 | 100.0% |
| waf bypass upload | 15 | 15 | 0 | 100.0% |
| waf bypass general | 10 | 10 | 0 | 100.0% |
| 小计 | 129 | 128 | 1 | 99.2% |
| 分类 | 项目数 | 通过 | 未通过 | 通过率 |
|---|
| prototype pollution | 12 | 10 | 2 | 83.3% |
| graphql injection | 12 | 1 | 11 | 8.3% |
| latex injection | 10 | 9 | 1 | 90.0% |
| 小计 | 34 | 20 | 14 | 58.8% |
- 检出率:JXWAF 标准版官方免费模型 71.28%,与 SafeLine(71.65%)基本持平,远超 CloudFlare 免费版(10.70%)
- 误报率:标准版官方免费模型 0.64%,明显优于 ModSecurity(17.58%);私有部署模型进一步降至 0.20%
