Web Application Firewall (WAF)

Web Application Firewall (WAF) is a security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. WAFs protect against common attacks like XSS, SQL injection, and other OWASP Top 10 threats.

How WAFs Work

• Signature-based: Pattern matching against known attack signatures
• Behavioral: Anomaly detection based on normal traffic patterns
• Reputation-based: IP reputation and bot detection
• Machine learning: Adaptive threat detection

Deployment Modes

# Reverse proxy (inline)
Client → WAF → Application Server

# Out-of-band (monitoring only)
Client → Application Server
           ↓ (copy)
          WAF

# Cloud-based
Client → Cloudflare/AWS WAF → Application

Common WAF Products

• Cloud: Cloudflare, AWS WAF, Akamai, Imperva
• On-premise: ModSecurity, F5 BIG-IP, Fortinet
• Open source: ModSecurity, NAXSI, Shadow Daemon

What WAFs Block

# SQL Injection patterns
' OR '1'='1
UNION SELECT

# XSS patterns
<script>
javascript:

# Path traversal
../../../etc/passwd

# Command injection
; cat /etc/passwd

Limitations

• Can be bypassed with encoding/obfuscation
• False positives block legitimate traffic
• Not a replacement for secure coding
• Business logic flaws not detected

See Also

• WAF Bypass
• Double Encoding