Web application firewall
A web application firewall (WAF) is a specialized security tool that operates at the application layer to monitor, filter, and block HTTP/HTTPS traffic to and from web applications, applying predefined rules to detect and prevent malicious activities such as injection attacks and cross-site scripting (XSS).[1] Unlike traditional network firewalls, which focus on ports and IP addresses at lower OSI layers, a WAF examines the content of requests and responses at Layer 7, enabling it to identify application-specific threats like SQL injection, cross-site request forgery (CSRF), and denial-of-service (DoS) attempts targeting vulnerabilities outlined in the OWASP Top 10.[2] WAFs are typically deployed as reverse proxies between clients and web servers, or as modules integrated into web servers like Apache or Nginx, though cloud-based and hybrid options provide scalability for modern distributed architectures including APIs and mobile apps.[1] This positioning allows them to enforce security policies dynamically, using techniques such as signature-based detection for known exploits, behavioral analysis for anomalies, and machine learning to adapt to emerging threats, while also logging traffic for compliance with regulations like PCI DSS.[2] By mitigating common web exploits without requiring changes to application code, WAFs enhance overall security posture, reduce breach risks for online services in sectors like finance and e-commerce, and support virtual patching for known software vulnerabilities until updates are applied.[3] However, effective implementation demands ongoing rule tuning and maintenance to balance protection against false positives that could disrupt legitimate traffic.[4]Fundamentals
Definition
A web application firewall (WAF) is a security solution that monitors, filters, and blocks HTTP/S traffic to and from web applications at Layer 7 of the OSI model.[1][5] Unlike traditional network firewalls, which operate at lower OSI layers such as Layer 3 (network) and Layer 4 (transport) to perform IP address and port-based filtering, WAFs focus on application-layer data, including the content of HTTP requests and responses.[6][7] At a high level, WAFs incorporate core components such as reverse proxy functionality to intercept and route traffic, a rule engine to inspect payloads against security policies, and logging mechanisms to capture events for auditing and incident response.[8][9][10] WAFs emerged in the late 1990s as a targeted response to the rise of web-specific vulnerabilities, complementing broader network defenses against threats like those in the OWASP Top 10.[11][12]Purpose and Protected Threats
A web application firewall (WAF) primarily aims to safeguard web applications and APIs from exploitation by inspecting and filtering incoming HTTP/S traffic to block malicious requests before they reach the application server.[13] It also facilitates regulatory compliance, such as with PCI DSS requirements for protecting cardholder data through real-time threat detection and policy enforcement, and GDPR mandates for securing personal data via traffic monitoring and logging.[14][15] Furthermore, WAFs enhance operational visibility by analyzing traffic patterns, which helps organizations identify anomalies and refine security postures without disrupting legitimate users.[16] WAFs are engineered to counter the most prevalent web vulnerabilities outlined in the OWASP Top 10 (2025 edition), providing targeted protection against a range of common exploits.[17] These include:- Broken Access Control (A01:2025), enabling unauthorized users to access restricted resources or perform privileged actions by exploiting weak permission checks.
- Security Misconfiguration (A02:2025), arising from default settings, incomplete configurations, or misapplied permissions that expose applications to unnecessary risks.
- Software Supply Chain Failures (A03:2025), targeting vulnerabilities in dependencies, CI/CD systems, and distribution infrastructure with known exploits like those in the CVE database.
- Cryptographic Failures (A04:2025), involving inadequate encryption or transmission of confidential information like passwords or credit card details.
- Injection (A05:2025), such as SQL, command, NoSQL, template injections, or cross-site scripting (XSS), where attackers insert malicious code into input fields to manipulate backend databases, execute unauthorized commands, or inject harmful scripts into web pages viewed by other users.
- Insecure Design (A06:2025), where flawed application architecture allows attackers to bypass intended security controls through poor threat modeling.
- Authentication Failures (A07:2025), including broken authentication mechanisms that permit session hijacking, credential stuffing, or weak password recovery.
- Software or Data Integrity Failures (A08:2025), encompassing insecure deserialization that leads to remote code execution or issues in update mechanisms allowing tampering.
- Logging & Alerting Failures (A09:2025), where insufficient event tracking and alerting allow various attacks to go undetected.
- Mishandling of Exceptional Conditions (A10:2025), involving unsafe error handling that exposes sensitive information or enables denial-of-service through unhandled failures.
' OR 1=1 -- or XSS payloads like <script>alert('xss')</script>, which traditional network defenses often overlook due to their application-layer nature.[2][19]
In a defense-in-depth approach, WAFs act as a complementary control layer, bolstering secure coding practices, input validation, and perimeter defenses like traditional firewalls by specifically addressing web-specific exploits that may evade other measures.[20][21]