What is a WAF? | Web Application Firewall Explained

What is a WAF? | Web Application Firewall Explained

What is a WAF?

A Web Application Firewall (WAF) is a security layer that is present between end-users and applications. A WAF inspects both the traffic to the web application and the return traffic from the application, filtering all application access. The basic motive of WAF is to monitor and block the contents that violate pre-defined policy. A WAF complements standard network firewalls by protecting both the application infrastructure and the application users.  WAF is also known as Virtual patching. When unprotected/ unfixed vulnerabilities are discovered on a website, with WAFs you can apply virtual fixes in real-time.

The three general tasks of WAFs are:

  • Filtering
  • Monitoring
  • Blocking

Why Do We Need WAF?

The capacity for a company to collect and retain client data using web applications offers numerous advantages, but it also opens the door to attackers.  Every new application that involves the data flow across servers that increases your risk of being hacked. End-user-facing applications might be vulnerable to a variety of risks. Many of these vulnerabilities may be avoided by application developers who fix them however, this is often beyond the control of the website owner.

  • A traditional firewall works at the TCP or IP network layer.
  • A proxy server protects the identity of a client machine through the use of an intermediary.
  • An IPS, on the other hand, is a sort of layer 3 security. It should have a limited understanding of attacks based on layer 7 assaults.

So the firewall, Proxy, and IPS/IDS systems fail to defend against application-layer attacks because the most typical cyber security attacks nowadays generally involve data exfiltration and occur at the application level.

WAFs are built exclusively for web applications, analyzing each HTTP request at the application level and decrypting SSL/TLS traffic completely. WAF provides data security for back-end databases to a variety of businesses and sectors, including e-commerce, banking, and social networking platforms. You’ll need it because you can never be completely sure about your code.

The Most Common Types of Web Attacks include:

  • Cross-site scripting (XSS)
  • SQL Injection (SQLI)
  • Path traversal
  • Local File Inclusion
  • Distributed Denial of Service (DDoS) attacks

How do WAFs work?

Basically, WAF sits in front of the public side of the web application on the outside of your network., monitoring incoming traffic to protect you from attacks on the application layer. It examines and monitors the incoming online traffic of your web applications thereby blocking or filtering any dangerous requests from reaching your apps.

WAF comes with security rules that can identify and block a variety of known attack patterns. A WAF is controlled by a set of rules known as policies. These policies are designed to guard against application vulnerabilities by blocking out bad traffic.

WAF policies can be predefined or created by an administrator.

WAF Rule:

–> Block Request from Bad Guys

–> Allow Request from Good Guys

How to Install WAF?

WAF Deployment Options:  There are three types of WAFs. They are:

1. Network-Based or Hardware-Based WAFs

A network-based WAF is set up using a hardware appliance that is located locally behind the web application servers on the network. A dedicated appliance is required for this type of WAF. The most significant benefit of a hardware-based WAF is its high speed and performance. The cost of this sort of WAF solution is higher than other types of WAFs because, as I previously stated, it requires physical space for a dedicated server and has higher maintenance costs.

2. Host-Based or Software-based WAFs

Unlike hardware-based WAFs, host-based WAFs are entirely integrated into your website’s software, saving you money and giving you more options for customization. Organizations using cloud-based web and application servers, such as data centers and hosting providers, frequently deploy software WAFs. However, there are still a lot of maintenance costs that go into this type of WAF, and because it runs on your server, it consumes your server’s resources.

3. Cloud-based WAFs

A cloud-based WAF is the cheapest and easiest to compare to the other two implemented deployment strategies. If you’re currently using a public cloud for your infrastructure, you may buy a WAF subscription directly from your provider as a service. The major disadvantage of cloud-based WAFs is that the protection is not controlled by who owns this model, and because the protection is provided by a third party, the end-user does not have the complete awareness of the rules and features that are in use.

WAF Operates Based on Three Models:

Negative Model (Blacklist based) – A blacklisting model uses security rules/policies can be predefined or created by an administrator to block web traffic that is clearly malicious, and signatures designed to prevent attacks that exploit certain websites and web applications vulnerabilities.


Do not allow in any page, any argument value (user input) which match potential XSS strings like <script> Hello World </script>.

Positive Model (Whitelist-based) – A whitelisting model restricts online traffic to only that which meets specific requirements.


It can be configured to only access some sensitive files from certain IP addresses (E.g., Trusted IPs).

Mixed/Hybrid Model (Inclusive model) – A hybrid security model is one that blends both whitelisting and blacklisting models.

The following are some of the WAF Rule Mechanisms:-

Rules-based on regular expressions:

The majority of the existing WAFs use rules based on regular expressions. The developer researches a certain set of known attacks to identify key syntactic structures which could point at an attack.

Score building:

It works based on the grading system and if the grade reaches the threshold value, the attack is detected and the request is blocked.

Signature-based analysis:

It works based on malicious signatures that are previously known.

Behavior analysis:

WAFs can also build request chains typical for normal behavior and block attempts to send unauthorized requests. Therefore limiting the number of requests per minute wouldn’t affect a normal user but would be a serious obstacle for scanners, which work in multiple threats.

Reputation analysis:

WAFs can include the list of the Tor nodes, blacklist IPs, anonymizers, and botnets to block requests from malicious IPs. Advanced WAFs can automatically update their databases and complement them with additional entries based on the analyzed traffic.

Application profiling:

This involves analyzing the structure of an application, including the typical requests, URLs, values and permitted data types. This allows the WAF to identify and block potentially malicious requests.

Benefits of WAFs:

WAF is a software application that operates on a physical device, a plugin, or a cloud service, and it offers the following benefits:

  • Finds security flaws and coding issues in a web application that need to be fixed right away.
  • Prevents sensitive data from being sent outside of the application without permission.
  • Other perimeter defense and protection systems, include firewalls and IPS/IDS tools,  which can be used in combination with this solution.
  • Protects a web application from cyberattacks that bypass network firewalls without requiring access to its source code.
  • Allows users to easily change the settings of an app in response to security issues.

Opensource WAF:

ModSecurity was built as an open-source WAF in 2002 to make WAF technology more accessible and build a core rule set for securing online applications.

ModSecurity WAF is a popular open-source WAF that can be installed as a module in NGINX, Apache, or IIS.  These rules are made up of regular expressions and determine if a request is valid such as an attack or a data breach for each one.

This is a sample XSS Rule Structure from ModSecurity:-

XSS vulnerabilities can result in a loss of data, session hijacking, and other account takeover attacks. It’s a critical issue that should be addressed throughout the entire application.

## -=[ XSS Filters – Category 1 ]=-# http://xssplayground.net23.net/xssfilter.html# script tag based XSS vectors, e.g., <script> alert(1)</script>#

Syntax: SecRule Target Operator [Action]







 msg:’XSS Filter – Category 1: Script Tag Vector’,\   

logdata:’Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,\    tag:’application-multi’,\    tag:’language-multi’,\    tag:’platform-multi’,\    tag:’attack-xss’,\    tag:’paranoia-level/1′,\    tag:’OWASP_CRS’,\    tag:’OWASP_CRS/WEB_ATTACK/XSS’,\    tag:’WASCTC/WASC-8′,\    tag:’WASCTC/WASC-22′,\    tag:’OWASP_TOP_10/A3′,\    tag:’OWASP_AppSensor/IE1′,\    tag:’CAPEC-242′,\    ctl:auditLogParts=+E,\    ver:’OWASP_CRS/3.2.0′,\    severity:’CRITICAL’,\    setvar:’tx.xss_score=+%{tx.critical_anomaly_score}’,\    setvar:’tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'”

Illustration of the above rule:

  • This ModSec rule will match the Regex pattern “@rx (?i)<script[^>]>[\s\S]?” in the mentioned fields in SecRule. (REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*).
  • Once the field is selected it will apply mentioned the Transformation functions(t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\)
  • t:none: It won’t apply any transform to the traffic take same values as the user given input.
  • t:urlDecode: It will apply URL decoding method to the traffic and reform it original value.
  • Same as all the functions apply for the rules.
  • If the regex pattern is found in the traffic it will do the action which is mentioned as a block and throws the error msg which is mentioned by us “msg:’XSS Filter – Category 1: Script Tag Vector’,\ logdata:’Matched Data: ” <script></script>”  found within REQUEST_COOKIES: /__utm/'”.


To secure your applications, a WAF is strictly necessary. It also helps to meet compliance requirements. Take a step forward in the domain of cybersecurity. Configure a WAF using the best practices.

Happy Hunting 🙂

Previous articleRemote Desktop Protocol Remote Code Execution Vulnerability – CVE-2022-21893
Next articleWeb Malware Removal | How to Remove Malware From Your Website?
Govarthan Mani
Cyber Security Incident Response Team


Please enter your comment!
Please enter your name here