Complete Web Application Firewall Guide

Jun 7, 2019 · 15 min read
Complete and in-depth guide for Web Application Firewalls

What is a Web Application Firewall (WAF)?

A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

Mobisoft Infotech

What is the difference between blacklist and whitelist WAFs?

A WAF that operates based on a blacklist (negative security model) protects against known attacks.

What are network-based, host-based, and cloud-based WAFs?

A WAF can be implemented one of three different ways, each with it’s own benefits and shortcomings:

  • A host-based WAF may be fully integrated into an application’s software: This solution is less expensive than a network-based WAF and offers more customizability. The downside of a host-based WAF is the consumption of local server resources, implementation complexity, and maintenance costs. These components typically require engineering time, and may be costly.
  • Cloud-based WAFs offer an affordable option that is very easy to implement: they usually offer a turnkey installation that is as simple as a change in DNS to redirect traffic. Cloud-based WAFs also have a minimal upfront cost, as users pay monthly or annually for security as a service. Cloud-based WAFs can also offer a solution that is consistently updated to protect against the newest threats without any additional work or cost on the user’s end. The drawback of a cloud-based WAF is that users hand over the responsibility to a third-party, therefore some features of the WAF may be a black box to them. Learn about Cloudflare’s cloud-based WAF solution.

Software WAF vs. Appliance WAF

Web Application Firewall Deployment

  1. Reverse Proxy

Cloud WAF vs On-Premises WAF

There are two main varieties of Web Application Firewall solutions — on-premise WAF (aka Hardware WAF) or cloud WAF.

How WAFs Work:

  • Using a set of rules to distinguish between normal requests and malicious requests;
  • Sometimes they use a learning mode to add rules automatically through learning about user behaviour
  • Positive Model (Whitelist based) — A whitelisting model only allows web traffic according to specifically configured criteria. For example, it can be configured to only allow HTTP GET requests from certain IP addresses. This model can be very effective for blocking possible cyber-attacks, but whitelisting will block a lot of legitimate traffic. Whitelisting model firewalls are probably best for web applications on an internal network that are designed to be used by only a limited group of people, such as employees.
  • Mixed/Hybrid Model (Inclusive model) — A hybrid security model is one that blends both whitelisting and blacklisting. Depending on all sorts of configuration specifics, hybrid firewalls could be the best choice for both web applications on internal networks and web applications on the public internet.
  1. Make a request from command line (eg. cURL), and test response content and headers (no user-agent included).
  2. Make GET requests to random open ports and grab banners which might expose the WAFs identity.
  3. If there is a login page somewhere, try some common (easily detectable) payloads like " or 1 = 1 --.
  4. If there is some input field somewhere, try with noisy payloads like <script>alert()</script>.
  5. Attach a dummy ../../../etc/passwd to a random parameter at end of URL.
  6. Append some catchy keywords like ' OR SLEEP(5) OR ' at end of URLs to any random parameter.
  7. Make GET requests with outdated protocols like HTTP/0.9 (HTTP/0.9 does not support POST type queries).
  8. Many a times, the WAF varies the Server header upon different types of interactions.
  9. Drop Action Technique — Send a raw crafted FIN/RST packet to server and identify response.

Our Top 5 Best Cloud-Based WAFs

  1. Cloudflare WAF
Web Application Firewall in Cloudfare
7 layers of defense on Kona Side Defender
F5 Silverline WAF Process
Amazon AWS WAF
Imperva Incapsula WAF Web Interface

Our Top 5 Best WAF Appliances

  1. Imperva SecureSphere

5 Open Source Web Application Firewall

  1. ModSecurity
ModSecurity metrics
  • Trojan
  • Information leakage
  • SQL injection
  • Common web attacks
  • Malicious activity
IronBee logo
  • Fedora
  • Ubuntu
  • OS X
NBS System
  • Directory transversal
  • Character encoding
  • SQL injection
  • Blocking bad robots
  • Hotlinking
  • Brute force
  • And much more…
  • XML injection
  • Code injection
  • Command injection
  • XSS
  • Backdoor access
  • Local/remote file inclusion
  • Incapsula (cloud-based)
  • F5 ASM
  • TrustWave ModSecurity commercial rules
  • SUCURI (cloud-based)
  • Akeeba Admin tools (for Joomla)

Web Application Firewall Benefits vs Weaknesses

Web Application Firewall Benefits

  • Cross-site scripting (XSS)
  • Distributed denial of service (DDoS) attacks
  • Application-specific attacks
  • Strong default rule sets
  • Customized Layer 7 protection
  • Integration with DDoS mitigation
  • Real-time reporting and logging for instant visibility

Web Application Firewall vs Next Generation Firewall

Next Generation Firewalls concentrate on application stream signatures which work well for outbound internet traffic but offer very little inbound web server protection.


devconnected — DevOps, Sysadmins & Engineering

Tutorials & Guides for DevOps, sysadmins and software…