Guide to web application firewalls

A web application firewall or WAF for short is a firewall that monitors, filters and blocks potentially dangerous web requests to and from a web application. A WAF can be deployed in a number of ways, these can include network-based, host-based or cloud-based and are often deployed between the client and the web server.

Web application firewalls are a common security feature used to protect web applications against a range of threats using a number of methods. Let me give you an example, see the request below. That's what a malicious SQL injection request looks like.

GET /book.php?id=25'+UNION+SELECT+username,password+FROM+users--+-- HTTP/1.1
Host: arctil-bookstore.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Connection: close

A web server would see the incoming request and look for certain keywords that it would deem harmful, in this example it would see the UNION, SELECT and occasionally even the ' as dangerous. When the web application firewall sees a request which contains some of the information it would deem harmful then it would instruct the web server to return an alternative page depending on the configuration, these can range from simple 400 Bad Request or 403 Forbidden to custom error pages.

It's likely that should a web application firewall block a request then it would log information specific to that request, this information will often include the requester's IP address, current browser, the request itself and time/date. Some firewalls will often choose to collect other information depending on their configuration.

Other benefits of using a web application firewall

Not all requests contain suspicious text like SQL injection or cross site scripting, web application firewalls can be called into effect when a large number of requests are made in short succession from a single IP address. Although this can be completely harmless this can also be an indicator of a denial of service (DoS) attack. Should too many requests be made within a given time frame then the IP address would be logged and added to a blacklist file, this would mean any future requests would be returned as some form of 403 forbidden page. IP addresses are often removed from this list after a few hours although repeat offenders can experience permanent bans.

Taking it to the next level, malicious users can make use of multiple networks and turn the denial of service attack into a distributed denial of service (DDoS).

Common web application firewalls

There are a number of web application firewalls available on the market, in case this sounds like something you'd be interested in here are a few examples. Please note, arctil does not endorse any of the following products.

• Cloudflare

The Cloudflare web application firewall (WAF) is the cornerstone of our advanced application security portfolio that keeps applications and APIs secure and productive, thwarts DDoS attacks, keeps bots at bay, and detects anomalies and malicious payloads, all while monitoring for browser supply chain attacks.

• Sucuri

The Sucuri Website Application Firewall (WAF) stops bad actors, speeds up load times, and increases your website availability.

• Barracuda

Application security is increasingly complex. Barracuda makes it simple. Barracuda Web Application Firewall is a part of Barracuda Cloud Application Protection, an integrated platform that brings a comprehensive set of interoperable solutions and capabilities together to ensure complete application security.

• Imperva

Imperva WAF is a key component of a comprehensive Web Application and API Protection (WAAP) stack that secures from edge to database, so the traffic you receive is only the traffic you want.

Still need help?

Are you having trouble using arctil? Why not try reaching out to our Community Forum.

Alternatively, you can try contacting us through the Contact page.