Attack Detection Results
| Attack Type | Tests | Detection Rate | Details |
|---|---|---|---|
| SQL Injection | 146 | 89.86% | 39 categories: union, boolean, time-based, stacked queries, NoSQL, obfuscation, privilege escalation, batch queries, encoding bypasses |
| XSS Attacks | 86 | 100% | DOM-based, mutation XSS, HTML5 vectors, 24 event handlers, SVG/XML attacks, CSS injection, template injection, encoding bypasses |
| Header Injection | 35 | 93.10% | CRLF injection, HTTP smuggling (CL-TE/TE-CL), header pollution, cache poisoning, authorization bypass headers |
| Form Sanitization | 43 | 85% | Path traversal, command injection, LDAP injection, NoSQL injection, SSRF, template injection (SSTI), XXE, file uploads |
| HTTP Smuggling | 17 | 95% | Content-Length/Transfer-Encoding conflicts, header splitting, request smuggling variants |
| Bot Traffic | Multiple | 70-99% | Challenge system with JS, PoW, hCaptcha, Turnstile options |
| Overall Average | 327+ | 90.49% | Enterprise-grade penetration testing patterns |
Test Coverage Details
- SQL Injection (146 tests): Union-based, boolean blind, time-based blind, error-based, stacked queries, order by enumeration, comment variations, encoding bypasses, case manipulation, advanced functions (xp_cmdshell, INTO OUTFILE), privilege escalation, NoSQL operators, batch queries, database fingerprinting, out-of-band exfiltration, double encoding, tautologies, truncation attacks, JSON/GraphQL/XML injection, HTTP parameter pollution, polyglot attacks, type juggling, stored procedures, charset manipulation
- XSS Attacks (86 tests): Basic script tags, event handlers (onerror, onload, onmouseover, onfocus, onanimationend, ontransitionend, etc.), JavaScript/vbscript/data/file protocols, HTML5 vectors (video, audio, form, link, meta), SVG attacks, CSS injection (expression, @import, behavior), DOM-based patterns, XML/XHTML vectors, template injection (Angular, React, Vue), encoding bypasses (Unicode, hex, HTML entities), polyglot attacks, mutation XSS, framework-specific vectors
- Header Injection (35 tests): CRLF injection (basic, URL-encoded, double-encoded), HTTP request smuggling (CL-TE, TE-CL), header pollution (duplicate Host, X-Forwarded-For), cache poisoning, authorization bypass (X-Original-URL, X-Rewrite-URL), XSS via headers, command injection in User-Agent/Via
- Form Sanitization (43 tests): Path traversal (directory traversal, Windows paths, encoded), command injection (shell metacharacters, backticks, $(), Shellshock), LDAP injection, XML/XXE attacks, SSRF (localhost, internal IPs, cloud metadata), template injection (Jinja2, ERB, OGNL), NoSQL injection (MongoDB operators), file upload attacks, CRLF in forms, expression language injection
Throughput Performance
| Metric | Value | Notes |
|---|---|---|
| Max Requests/Second | 10,000-50,000 | Depends on config and cores |
| WAF Processing Time | 0.15ms | Per request overhead |
| Memory per Request | 350KB | With full middleware stack |
| False Positive Rate | 0% | Zero false positives in 327+ test cases |
| CPU Usage | ~5-15% | During active traffic |
IPv6 Operation Performance
| Operation | Time (ns/op) | Allocations | Bytes/op |
|---|---|---|---|
| IsIPv6 Check | 43.98 | 0 | 0 |
| IP Normalization | 191.4 | 1 | 32 |
| Version Detection | 43.03 | 0 | 0 |
| CIDR Matching | <200 | 1 | 32 |
Smuggling Detection Performance
| Metric | Value |
|---|---|
| Detection Overhead | <0.5ms per request |
| Memory Usage | Minimal (pre-compiled regexes) |
| CPU Impact | Negligible |
| Throughput Impact | No measurable impact |
Challenge System Performance
| Challenge Type | Solve Time | Bot Block Rate |
|---|---|---|
| JavaScript | 2 seconds | ~70% |
| Proof-of-Work (diff 4) | 1-5 seconds | ~85% |
| Proof-of-Work (diff 5) | 10-30 seconds | ~95% |
| hCaptcha | 3-10 seconds | ~99% |
| Turnstile | ~2 seconds | ~95% |
Fingerprinting Performance
| Metric | Value |
|---|---|
| First Visit Overhead | 1-2 seconds (collection page) |
| Subsequent Visits | <5ms (cookie validation) |
| Memory per Fingerprint | ~1KB |
| Bot Network Detection | Real-time |
Run Benchmarks Yourself
All benchmarks are reproducible. To run the comprehensive test suite:
# Run all attack detection tests go test -v -run="TestSQLInjectionComprehensive|TestXSSDetection|TestHeaderInjection|TestPOSTFormSanitization" ./benchmarks # Run performance benchmarks go test -bench=. -benchmem -benchtime=3s ./benchmarks
Or use the automated PowerShell script that runs all tests:
.\benchmarks\run_benchmarks.ps1
This will generate detailed reports including:
- SQL injection detection (146 tests across 39 categories)
- XSS detection (86 tests with advanced evasion techniques)
- Header injection detection (35 tests including smuggling)
- Form sanitization (43 tests covering multiple attack types)
- Performance metrics (throughput, latency, memory usage)
- Middleware overhead measurements
Results will vary based on your hardware, Go version, and system load. See benchmarks/ directory for details.
Test Environment
Hardware
- CPU: AMD Ryzen 5 3600X (6 cores, 12 threads)
- RAM: 16GB DDR4
- Storage: NVMe SSD
Software
- Go 1.21+
- Linux kernel 5.15+
- RhinoWAF v2.5
Test Methodology
- Enterprise-grade penetration testing patterns from OWASP and real-world attacks
- 327+ test cases covering SQL injection, XSS, header injection, form attacks, and more
- Advanced evasion techniques: encoding bypasses, polyglot attacks, mutation vectors
- Zero tolerance for false positives - all legitimate inputs pass
- Go benchmark suite with concurrent request testing
- Middleware overhead measurements with -benchmem allocation tracking
- Automated test execution:
go test -v ./benchmarks - Full test suite available in
benchmarks/directory