WAF – Web Application Firewall

WAF, which stands for Web Application Firewall, helps protect web-based applications by blocking and preventing many common types of attacks which would otherwise have been easy to carry out. Almost any site today contains at least one particular type of WAF as it’s first line of defense.

WAF differs from a standard firewall in that it is able to filter specific content of web applications while a standard firewall serves as a security gateway between servers.

WAF is a defense protocol found in the 7th layer of the OSI model (Application layer).

As we know, it is the application layer that determines the type of communication between computers.

So, we understand that the protocol is in this layer to protect the execution of a particular communication being made.

How are WAFs protecting our sites ?

  • It filters and monitors the whole HTTP traffic that carried out with with a web service provider.
  • It blocks anything that might be malicious.
  • By checking the HTTP traffic, you can prevent attacks due to security flaws of web applications, such as SQL or XSS injection.
  • Integrated DDoS protection.
  • WAF enforces a specific and pre-built set of rules called a policy.

Types of WAFs :

  • Hardware-based – also called Network-based, is a type that is usually installed locally within a local area network (LAN), and deployed on a physical piece of hardware.
  • Software-based – also called Host-based, this type is usually installed on a Virtual Machine, rather than hardware. This option works in a similar way to a hardware based WAF. But, it allows for increased flexibility as it can be used on the cloud and has a decreased cost because there is no hardware required.
  • Cloud based – built as a software as a service(SaaS) structure. The WAF is located entirely in the cloud and everything is managed remotely by the service provider.

Examples of WAFs :

  • The first, and probably the most famous one is the CAPTCHA. A CAPTCHA is a program that protects websites against bots. By blocking them from gaining any access by generating and grading tests that are asking to input a certain String or a number

that appears in a small image above the field,

a thing that humans can easily do but current computer programs (as of now) cannot.

  • If the system needs to get an ID number. There is no reason for the end user to enter the word “Select” or any other special character (like: @ , # $ etc.) . And in this way, the WAF, by enforcing a number of rules, produces a White list that will recieve only numbers and, at a certain length.

  • IP check – in case that the visitor’s IP address has shown suspicious behavior online. Such as switching addresses or, using a temporary one, it’s here to detect and block the origin.

  • Some are being referred as JavaScript challenges.

For example, AWS WAF JavaScript SDK – You can use the AWS WAF JavaScript SDK to implement AWS WAF application integrations in your browsers and other devices that can run JavaScript. The JavaScript SDK allows you to manage token authorization, and to include the tokens in the requests that you send to your protected resources.

Example of a typical implementation of the JavaScript SDK in a web application page

Did you know that Kayran’s Web Application Vulnerability Scanner has a new tech, which enables it to bypass WAFs and many other types of JavaScript challenges?
That makes Kayran’s tool almost as effective as a human being who performs the tests himself and is able to circumvent such mechanisms.

Stay WAF’d, choose Kayran.

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »

Explaining API

We’ve talked about API’s Vulnerability in here, but i feel like there’s much more to talk about and explain since this is a big and

Read More »