Demonstration website of BunkerWeb solution
bunkerWeb demo website
Feel free to perform some security tests by hand or using automated tools as long as you are ethical in your approach.
Please note that DoS/DDoS tests are out of scope and then forbidden to do on this demo website.
Because the main goal of BunkerWeb is to defend against attackers, you may be banned from the demo website when performing security tests.
If that's the case, you can send a GET request to https://demo.bunkerweb.io/unban in order to get unban.
Https configuration
Out of the box, we have automated Let's Encrypt support and A+ rating from Qualys server SSL Server Test.
SSL REPORT : DEMO.BUNKERWEB.IO
we have a+ mark.
| Certificate 100 / 100 |
|---|
| Protocol support100 / 100 |
| Key Exchange90 / 100 |
| Cipher Strength90 / 100 |
| From 0 to 100 0 10 20 30 40 50 60 70 80 90 100 |
Certificate 100% rate.
Protocol Support rate 100% rate.
Key Exchange 90% rate.
Cipher Strength 90% rate.
Visit our documentation page for more informations, configuration guides and books.
Known issues are here
This website works only in browsers with SNI support.
This server support TLS 1.3
HTTP Strict Transport Security (HSTS) with long duration deploied on this server. MORE INFO
Security headers
Many security headers are present by default, for example :
You can edit them to fit your own needs and easily have a A+ rating on Security Headers.
SSL REPORT : DEMO.BUNKERWEB.IO
| headers section keys | headers section values |
|---|---|
| Site | https://demo.bunkerweb.io |
| IP Adress | 152.x.x.x |
| Report Time | 28 Mar 2023 15:43:36 UTC |
| Headers | Strict-Transport-Security Content-Security-Policy Referrer-Policy Permission-Policy X-Frame-Options X-Content-Type-Options |
Antibot
You can prevent bad bots from accessing your web applications by using the "Antibot" feature.
It works by asking the client to solve a "challenge" before he can access the web app.
Here is the list of supported challenge types :
Cookie give a cookie to the client and expect to get it back on next requests
Javascript ask the client to slove a computation challange in Javascript
Captcha ask the client to solve a traditional captcha
hCaptcha ask the client to solve a hCaptcha
reCAPTCHA allow/deny the client depending on his reCAPTCHA score
Please prove that you are human before accessing this website
Please wait while we are doing some security checks
Please prove that you are humane before accessing this website
Please prove that you are humane before accessing this website
Web application firewall
The ModSecurity ModSecurity WAF is integrated into BunkerWeb alongisde the Core Rule Set.
It's highly customizable, you can add your own rules, configure CRS exclusions and update existing rules to meet your own use cases.
APPLICATION
FIREWALL
You can test the WAF by injecting some common patterns use in web applications attacks.
If you get a 403, the WAF detected the content as malicious.
Bad behavior
We are watching and handling client actions through your web app.
If a client is generating too many "suspicious" HTTP status codes (like 403, 404 or 429) within a period of time, we can consider that he might be malicious and ban him.
That kind of feature called "bad behavior" is integrated into BunkerWeb.
BAD
BEHAVIOR
You can test the bad behavior feature by generating many suspicious HTTP status codes by hand or by clicking the button below (see the code).
Please note that you can get unbanned from the demo website by sending a GET request to the link below :
https://demo.bunkerweb.io/unban
Limits requests
With BunkerWeb, you can configure limits on the maximum number of concurrent connections and also rates on requests.
Supported rates are per second, minute, hour and day.
This features prevent you from :
Bruteforce attacks succession of combinations to find a target identifier.
DDOS sending a high volume of traffic to overload the normal operation of your services.
API abuse lack of control and policy on your APIs to protect your datas.
You can test the limit feature by sending some requests to the same URL in a loop or use the button below (see the code).
If you get a 429, you are being limited.
Plugins
BunkerWeb offers a plugin system to easily add more security features in addition to the core ones. Here is the list of official plugins that we maintain :
ClamAV automatically scan uploaded files with the ClamAV antivirus engine.
CrowdSec bouncer for CrowdSec, deny requests based on CrowdSec decisions.
VirusTotal get reports from VirusTotal of uploaded files and deny the request if it's detected.
Of course, you can create your own plugins.
You can test the ClamAV plugin here by sending an EICAR file (10MB max size).
If you get 403, ClamAV detected the file as malicious.
More features
The features presented above are only a small part of what BunkerWeb can handle.
You want to learn more about our solution ?
More features related to security are listed in the documentation.
community chat
Any question about BunkerWeb ?
Do not hesitate to join our community chat to talk about it.