Knowledge baseTermsWAF

WAF (Web application firewall)

Web application firewall (WAF) is a traffic filtration tool that works on application layer and is used to protect web applications.


What is it and what is it for?

WAF helps to protect web applications by filtering and tracking traffic between web applications and the Internet. WAF works on the 7th (Application) layer of the OSI model. That means that it is not intended to protect from all types of attacks. This method of attack mitigation is usually a part of a set of tools which together form an integral defense.

WAF is usually placed before web applications, working as a kind of shield between the application and the Internet. When proxy protects client’s data, WAF can be called “reverse-proxy” as it protects server’s data passing clients through itself before providing access to the resource.

WAF works on a set of rules. These rules are aimed to protect against vulnerabilities in the application by filtering malicious traffic. It is valued in particular for the speed and simplicity with which these rules can be changed, allowing for a faster response to changing attack vectors.


As it was already said before, WAF works on the application layer, which means that it deals with data stream, not network stream after it was received by the host. As a result, it is usually applied after decryption so it has full access to the content of the request and response. WAF tends to focus on signatures that are unique to web applications more, rather than IDS/IPS. It is also more likely to check things like JSON or XML format validation. WAF will pay attention to things that are not right, instead of looking for what is wrong.

Unlike WAF, IDS/IPS (intrusion detection/protection systems) work on network layer. While decryption is possible in some configurations, it is not expected in the same way as in the case of WAF, and if it is absent, then IDS/IPS can simply miss the attack on the web application. IDS/IPS can analyze all network layers, which allows it to look for things like IP fragmentation attacks which WAF cannot detect. Also, because IDS / IPS can monitor all traffic, it is not limited to just web application protocols and has a wider range of signatures. Thus, IDS/IPS may not have the same detailed set of web application signatures as WAF.

These are two intersecting technologies: in the event of an attack, both IDS / IPS and WAF will react to some traffic. For some only WAF or IDS / IPS. But there is also a chance that the attack will just fly past both of them.

What WAF must be able to do?

As one can already understand, WAF is a very useful tool that protects against many types of attacks. Among them are such as:

  • SQL injection is one of the most common types of attacks on websites and programs. that work with databases. Its essence lies in the injection of arbitrary SQL code into a query, which can give an attacker access to view and edit the database.
  • Cross site scripting (XSS) is also a very common type of attack. Its essence lies in the injection of malicious code by the attacker. With its help, an attacker can gain access to the user's personal data, and in general, almost everything that JavaScript becomes available to him.
  • Local and Remote File Injection (LFI/RFI) - The use of local and remote files for their own purposes.
    • Local File Inclusion (LFI) - Allows an attacker to execute a local file on the server. With its help, a remote user can access arbitrary files on the server, including those containing confidential information.
    • Remote File Inclusion (RFI) - Allows an attacker to execute a remote file on the server. RFI occurs when incoming data in the site's code is not properly validated.
  • RCE (remote code execution) is the highest threat class A1 according to the OWASP classification. When using RCE, the attacker remotely executes code on the compromised computer, server, etc.
  • PHP injection is a way to hack PHP-powered sites, which consists in executing third-party code on the server. If this attack is successful, an attacker will be able to execute any PHP command.
  • Automated actions - guessing of logins, passwords, promotional codes. Online stores can automatically add items to the cart to reduce availability.
  • Bots. They search and scan for vulnerabilities in web applications, extract data, etc. Bots generate roughly 20% of bad traffic on the internet.
  • Brute-force attacks - guessing of a password and user session identifier, various DoS attacks.

Of course, this list is incomplete, WAF will be able to protect you from a much broader range of types of attacks.