WAF is an acronym for Web Application Firewall:
- A firewall is a security component that controls network traffic coming into and out of a backend system.
- An application firewall specifically controls the input, output, and access to an application or service.
- A web application firewall specifically works on traffic (HTTP/S, TCP, UDP, and so on) coming in and out of a web application.
Thus, a WAF monitors and filters traffic to and from a web application. Incoming traffic consists of legitimate user requests and requests from threat actors. A WAF identifies and blocks the latter, while allowing the legitimate requests to pass through.
Today, a robust WAF must be able to detect and defeat a wide variety of attacks. Here are some examples.
- SQL Injection: an attempt to inject SQL commands into a data-driven application through an entry field.
- OSCI (Operating System Command Injection): an attempt to execute operating system commands on the application’s server.
- RFI (Remote File Inclusion): an attempt to cause a web application to download and execute a remote file.
- LFI (Local File Inclusion): an attempt to cause a web application to execute code within a local file that has been placed or modified by the attacker.
- XSS (Cross-Site Scripting): an attempt to inject client-side scripts into a web application.
This list is not exhaustive. Along with those listed above, there are many other potential threats within incoming traffic that a WAF must be able to block.
Additionally, a WAF (such as AWS WAF) can provide symmetric filtering by scrubbing not only the incoming requests, but also the outgoing traffic as well. Malicious outgoing traffic can occur if a machine in a network has been compromised. For example, the machine could start communicating with a botnet command server, or might start participating in a DDoS attack. A WAF can block this activity, and notify administrators of the problem.
Evolution of WAFs
In the past, WAFs were primarily used to protect websites. Later, as the use of HTTP/S expanded, so did the potential roles of WAFs. Today, a WAF is important for protecting not only traditional backends such as websites, but other applications and services as well, such as HTTP/S-based RESTful APIs used for mobile/native applications.
WAFs have also evolved in other ways. Initially, WAF products only included a negative security model. In this approach, the WAF’s rulesets define the characteristics of hostile traffic. Incoming requests which match those characteristics are blocked. Other traffic is allowed by default.
Later, positive security models were added. This means that the WAF examines incoming traffic, and for a request to be allowed, it must match certain characteristics which define legitimate traffic. (For more information, see How does a WAF work?)