The idea of a firewall of some sort for web applications seems like a good idea, but this particular one seems rather lame. For example, here's the complete code that implements the 'local file inclusion' attack detection:
var url = require('url');
exports.check = function (req, res) {
if (req.url.indexOf('../') > -1) {
fusker.handleAttack('LFI', req, res);
}
};
That's very simplistic and I wouldn't be surprised if you could get round it with trickery like ..%2F or similar encodings since if you dig in it's being passed the req from the http Node.js module and using the .url parameter. That returns the full URL from the request itself.
Also, the whole 'fight back' idea is a bad one. We've seen from the spam world that fighting back tends to create collateral damage. If someone is attacking your web site then it's best just to silently discard attacks, after all if an attack back is detected that gives the attacker information.
Also, blacklisting IP addresses on the Internet is quite a dangerous thing to do. The IP address being presented to the end web site may well come from a company or from an ISP where there are many, many legitimate users on the same IP. A blacklist needs to be managed carefully to avoid an attacker knocking out a large group of legitimate users.
My guess is this is just a proof of concept.
For this kind of thing, [Snort](http://www.snort.org/) with it's huge corpus of intrusion detection patterns.
That's very simplistic and I wouldn't be surprised if you could get round it with trickery like ..%2F or similar encodings since if you dig in it's being passed the req from the http Node.js module and using the .url parameter. That returns the full URL from the request itself.
And check out how SQL injection is detected: https://github.com/wearefractal/fusker/blob/master/lib/detec... It appears to be completely unimplemented.
Also, the whole 'fight back' idea is a bad one. We've seen from the spam world that fighting back tends to create collateral damage. If someone is attacking your web site then it's best just to silently discard attacks, after all if an attack back is detected that gives the attacker information.
Also, blacklisting IP addresses on the Internet is quite a dangerous thing to do. The IP address being presented to the end web site may well come from a company or from an ISP where there are many, many legitimate users on the same IP. A blacklist needs to be managed carefully to avoid an attacker knocking out a large group of legitimate users.