Web Application Firewall (WAF)

What is WAF?

A Web Application Firewall (WAF) is a security tool designed to protect websites and web applications from common cyber threats. If you’re asking “what is WAF?”—it’s a filter that monitors, analyzes, and blocks suspicious traffic at the application layer of the OSI model.

Contents:

• Meaning and definition of WAF
• How it works
• WAF types
• WAF vs. IDS/IPS
• What attacks does WAF protect against?

Meaning and Definition of WAF

A Web Application Firewall helps protect web applications by filtering and monitoring traffic between the application and the Internet. WAF operates at the 7th layer (Application Layer) of the OSI model, which means it is not designed to stop all types of attacks, but rather to mitigate specific threats targeting web apps.

WAF is typically positioned in front of a web application, acting as a shield between the app and incoming traffic. Unlike a regular proxy that protects client data, a WAF functions as a reverse proxy, protecting server-side data by inspecting client requests before allowing access to the application.

WAFs are often used as part of a broader security stack, working in combination with other tools to form a comprehensive defense strategy.

How WAF Works

A WAF operates based on a set of rules designed to protect web applications by filtering out malicious traffic. These rules target known vulnerabilities in applications and are especially valued for their flexibility and speed of modification, allowing security teams to quickly respond to evolving attack vectors.

As mentioned earlier, a WAF works at the application layer of the OSI model, meaning it inspects the data stream (not the raw network traffic) after it has been received by the host. As a result, WAFs are typically applied after decryption, giving them full access to the contents of both the request and the response.

WAF Types

Choosing a Web Application Firewall (WAF) typically depends on a company’s security requirements, the architecture of the web application, and available budget. WAFs are most commonly classified according to three main criteria:

1. By Deployment Type:

• Cloud web application firewall: A hosted SaaS solution, great for scalability and ease of use — especially popular for startups or VPS WAF setups.
• On-Premise WAF: A hardware-based solution installed directly on the web server. It gives full control over configuration and data handling.
• Hybrid WAF: A combination of cloud-based and on-premise approaches, offering both flexibility and control.

2. By Detection Method:

• Signature-based: Detects and blocks known threats using a database of predefined attack patterns (e.g., SQLi, XSS).
• Behavior-based (Anomaly Detection):Uses AI/ML to identify deviations from normal traffic behavior.
• Whitelist-based (Positive Security Model): Allows only pre-approved and known-good requests.
• Blacklist-based (Negative Security Model):Blocks known malicious requests based on predefined blacklists.

3. By Traffic Handling Mode:

• Reverse Proxy Mode: The WAF acts as an intermediary server between the client and the web application, inspecting and filtering traffic.
• Transparent (Bridge) Mode: Deployed inline without changing IP addresses, making it invisible to users and systems.
• Out-of-Band (Monitoring) Mode: Used only for monitoring traffic without actively blocking requests.

WAF vs. IDS/IPS: Key Differences

A WAF operates based on rules tailored specifically to web applications, whereas IDS/IPS systems analyze a broader range of data—including traffic at the network infrastructure level.

Unlike intrusion detection and prevention systems, a WAF is more focused on validating formats like JSON and XML. Another key difference is that WAFs don’t just look for anomalies—they also verify the legitimacy of traffic. In contrast, IDS/IPS tools are primarily designed to flag signs of potentially dangerous requests.

Encryption handling also differs between the two. WAFs are typically deployed after decryption, allowing full access to the requested content. IDS/IPS solutions, however, may not inspect encrypted traffic unless specifically configured to do so—which means they could miss some web application-level attacks.

On the other hand, IDS/IPS tools support a broader range of signatures and can detect threats that WAFs cannot, such as IP fragmentation attacks. WAFs are limited to protocols used by web applications and therefore don’t see lower-level network threats.

In the end, WAF and IDS/IPS are overlapping tools with different areas of focus. In some cases, both will detect an attack. In others, only one may respond, and some threats might even slip past both. That’s why using them together—as part of a layered security strategy—is often the best approach.

What Attacks Does a WAF Protect Against?

A Web Application Firewall (WAF) is a powerful tool for defending against a wide range of threats:

• SQL injection is one of the most common types of attacks on websites and programs. that work with databases. Its essence lies in the injection of arbitrary SQL code into a query, which can give an attacker access to view and edit the database.
• Cross site scripting (XSS) is also a very common type of attack. Its essence lies in the injection of malicious code by the attacker. With its help, an attacker can gain access to the user’s personal data, and in general, almost everything that JavaScript becomes available to him.
• Local and Remote File Injection (LFI/RFI) – The use of local and remote files for their own purposes.
  • Local File Inclusion (LFI) – Allows an attacker to execute a local file on the server. With its help, a remote user can access arbitrary files on the server, including those containing confidential information.
  • Remote File Inclusion (RFI) – Allows an attacker to execute a remote file on the server. RFI occurs when incoming data in the site’s code is not properly validated.
• RCE (remote code execution) is the highest threat class A1 according to the OWASP classification. When using RCE, the attacker remotely executes code on the compromised computer, server, etc.
• PHP injection is a way to hack PHP-powered sites, which consists in executing third-party code on the server. If this attack is successful, an attacker will be able to execute any PHP command.
• Automated actions – guessing of logins, passwords, promotional codes. Online stores can automatically add items to the cart to reduce availability.
• Bots. They search and scan for vulnerabilities in web applications, extract data, etc. Bots generate roughly 20% of bad traffic on the internet.
• Brute-force attacks – guessing of a password and user session identifier, various DoS attacks.

Of course, this list is incomplete, WAF will be able to protect you from a much broader range of types of attacks.

You might also want to check out possibilities of StormWall Enterprise-Grade WAF.