Web application firewall
A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
Application firewalls, which control input, output, and access from applications or services, were first developed in the early 1990s by Gene Spafford, Bill Cheswick, and Marcus Ranum. Their product was largely a network-based firewall but could handle a few applications (like FTP or RSH) and was released to market by DEC. Within the next few years, the products were further developed by other researchers to provide stable firewall software for others to build on, and raised the bar for the industry.
The first company to offer a dedicated web application firewall was Perfecto Technologies with its AppShield product, which focused on the e-commerce market and protected against illegal web page character entries. Perfecto renamed itself as Sanctum and named the top ten web application hacking techniques and laid the foundations for the WAF market:
- Hidden field manipulation
- Cookie poisoning
- Parameter tampering
- Buffer overflow
- Cross Site Scripting (XSS)
- Backdoor or Debug options
- Stealth commanding
- Forced browsing
- Third party misconfigurations
- Known vulnerabilities
In 2002, the open source project ModSecurity was formed in order to make WAF technology more accessible and solve the obstacles within the industry like business cases, cost barriers, and proprietary rule-sets. ModSecurity finalized a core rule set for protecting Web Applications, based on the OASIS Web Application Security Technical Committee’s (WAS TC) vulnerability work. In 2003, their work was expanded and standardized through the Open Web Application Security Project’s (OWASP) Top 10 List, an annual ranking for web security vulnerabilities. This list would become the industry benchmark for many compliance themes.
Since then, the market has continued to grow and evolve, involving the larger commerce industry with the rise in credit card fraud. With the development of Payment Card Industry Data Security Standard (PCI DSS), a standard for organizations to increase controls on cardholder data, security is more regulated and has sparked wide-scale interest in the industry. According to Forrester, the WAF market exceeded $200 million in size by 2010.
A web application firewall is a special type of application firewall that applies specifically to web applications. It is deployed in front of web applications and analyzes bi-directional web-based (HTTP) traffic - detecting and blocking anything malicious. The OWASP provides a broad technical definition for a WAF as “a security solution on the web application level which - from a technical point of view - does not depend on the application itself.” According to the PCI DSS Information Supplement for requirement 6.6, a WAF is defined as “a security policy enforcement point positioned between a web application and the client endpoint. This functionality can be implemented in software or hardware, running in an appliance device, or in a typical server running a common operating system. It may be a stand-alone device or integrated into other network components.” In other words, a WAF can be a virtual or physical appliance that prevents vulnerabilities in web applications from being exploited by outside threats. These vulnerabilities may be because the application itself is a legacy type or it was insufficiently coded by design. The WAF addresses these code shortcomings by special configurations of rule-sets, also known as policies.
Previously unknown vulnerabilities can be discovered through penetration testing or via a vulnerability scanner. A web application vulnerability scanner, also known as a web application security scanner, is defined in the SAMATE NIST 500-269 as “an automated program that examines web applications for potential security vulnerabilities. In addition to searching for web application-specific vulnerabilities, the tools also look for software coding errors.” Resolving vulnerabilities is commonly referred to as remediation. Corrections to the code can be made in the application but typically a more prompt response is necessary. In these situations, the application of a custom policy for a unique web application vulnerability to provide a temporary but immediate fix (known as a virtual patch) may be necessary.
WAFs are not an ultimate security solution, rather they are meant to be used in conjunction with other network perimeter security solutions such as network firewalls and intrusion prevention systems to provide a holistic defense strategy.
WAFs typically follow a positive security model, a negative security, or a combination of both as mentioned by the SANS Institute. WAFs use a combination of rule-based logic, parsing, and signatures to detect and prevent attacks such as cross-site scripting and SQL injection. The OWASP produces a list of the top ten web application security flaws. All commercial WAF offerings cover these ten flaws at a minimum. There are non-commercial options as well. As mentioned earlier, the well-known open source WAF engine called ModSecurity is one of these options. A WAF engine alone is insufficient to provide adequate protection, therefore OWASP along with Trustwave's Spiderlabs help organize and maintain a Core-Rule Set via GitHub to use with the ModSecurity WAF engine.
Although the names for operating mode may differ, WAFs are basically deployed inline in three different ways. According to NSS Labs, deployment options are transparent bridge, transparent reverse proxy, and reverse proxy. 'Transparent' refers to the fact that the HTTP traffic is sent straight to the web application, therefore the WAF is transparent between the client and server. This is in contrast to reverse proxy, where the WAF acts as a proxy and the client’s traffic is sent directly to the WAF. The WAF then separately sends filtered traffic to web applications. This can provide additional benefits such as IP masking but may introduce disadvantages such as performance latency.
Many commercial WAFs have similar features, but major differences often refer to user interfaces, deployment options, or requirements within specific environments.
- Barracuda Networks WAF
- Citrix Netscaler Application Firewall
- F5 Big-IP ASM
- Fortinet FortiWeb
- Imperva SecureSphere
- Monitorapp AIWAF
- Penta Security WAPPLES
- Positive Technologies PT Application Firewall
- Radware AppWall
- Sophos XG Firewall
- Akamai Technologies Kona
- F5 Silverline
- Imperva Incapsula
- OneHourSiteFix by SharkGate
- QingCloud WAF
- Sucuri Firewall
- Alibaba Cloud
Open-source solutions are available to the public for general usage.
- Alam, M. Afshar (2009). Recent Developments in Computing and Its Applications. K International House.
- "Perfecto Technologies Delivers AppShield for E-Business - InternetNews". www.internetnews.com. Retrieved 2016-09-20.
- "Identifying the 10 most common application-level hacker attacks - Page 1053900 - TechRepublic". TechRepublic. Retrieved 2016-09-20.
- "ModSecurity homepage". ModSecurity.
- Maximillan Dermann; Mirko Dziadzka; Boris Hemkemeier; Alexander Meisel; Matthias Rohr; Thomas Schreiber (July 7, 2008). "OWASP Best Practices: Use of Web Application Firewalls ver. 1.0.5". OWASP. OWASP.
- PCI Data Security Standards Council (October 2008). "Information Supplement: Application Reviews and Web Application Firewalls Clarified ver. 1.2" (PDF). PCI DSS. PCI DSS.
- Paul E. Black; Elizabeth Fong; Vadim Okun; Romain Gaucher (January 2008). "NIST Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0" (PDF). SAMATE NIST. SAMATE NIST.
- Jason Pubal (March 13, 2015). "Web Application Firewalls - Enterprise Techniques" (PDF). SANS Institute. SANS Institute InfoSec Reading Room.
- "Core-Rule Set Project Repository". GitHub.
- "OWASP ModSecurity Core Rule Set Project". OWASP.
- "WAF Test Methodology 2.1". NSS Labs. NSS Labs. May 18, 2016.