WAF (Web Application Firewall)

A Web Application Firewall (WAF) sits between the internet and your web application, inspecting HTTP/HTTPS traffic and blocking requests that match known attack patterns. WAFs protect against common web attacks including SQL injection, XSS, file inclusion, and protocol abuse by applying rule sets that identify malicious request patterns.

WAFs operate in different modes: negative security model (block known bad patterns), positive security model (allow only known good patterns), and machine learning-based anomaly detection. Popular WAF solutions include AWS WAF, Cloudflare WAF, Akamai Kona, and open-source ModSecurity.

While WAFs provide valuable defense-in-depth, they should not be the sole security control. WAFs can be bypassed through encoding tricks, payload fragmentation, and novel attack techniques. They also generate false positives that can block legitimate traffic if not properly tuned.

How APVISO tests for this: APVISO's scanner agent is designed to test whether your WAF rules actually block exploitation attempts. It generates payloads that test common WAF bypass techniques, helping you identify gaps in your WAF configuration and rule sets. Testing behind the WAF is also supported to assess the application's inherent security.