Skip to main content

Web Application Firewalls (WAF)

· 7 min read

Web Application Firewalls (WAFs) are the most advanced firewall capabilities in the industry. They've evolved from traditional firewalls focusing on network layer traffic to sophisticated systems that can understand and track session state and make sense of what's happening at the application layer.

The Need for WAFs

As cyber-attacks become more advanced, climbing up the ladder of the Open Systems Interconnection model, there's a growing need for a different kind of inspection. This inspection should not only understand and make sense of network traffic but also be able to parse the "good" from the "bad" traffic. This is where WAFs come in.

WAFs can protect your systems through several means. One such method is signature-based detection, where a known attack signature has been documented, and the WAF parses the traffic, looking for a pattern match. Another method involves the application of behaviour analysis and profiling. Advanced WAFs can conduct a behavioural baseline to construct a profile and look for deviations relative to that profile.

The Changing Landscape of Cyber Attacks

In the past, attacks on applications and infrastructure were carried out by individual hackers manually. However, to become more efficient and drive more results, malicious operators and organizations have largely automated and industrialized attacks through the use of distributed botnets.

The Evolution of Application Development

Applications and their development have undergone significant changes with the advent of cloud deployments, container technologies, and microservices. Developers often reuse other people's code to achieve outcomes and functionality for their applications. This has led to an increase in the use of third-party libraries during the application development process.

Attackers are aware of this and are looking to exploit vulnerabilities found in commonly used third-party libraries such as OpenSSL. This means that the number of well-known vulnerabilities multiplies exponentially the more they are used in the development process. WAFs and adjacent technologies can help provide gap protection in the form of signature-based and behaviour-based identification and blocking. This can help address not only known vulnerabilities and threats but also zero-day threats and vulnerabilities.

Understanding WAF Functionality

The Open Web Application Security Project (OWASP) Top 10, which outlines the most prevalent vulnerabilities found in applications and walks through the means of mitigation by way of compensating controls.

Adjacent WAF technologies and functionality include:

  • API gateways
  • Bot management and mitigation
  • Runtime Application Self-Protection (RASP)
  • Distributed Denial of Service (DDoS) protection
  • Content Delivery Networks (CDNs)
  • Data Loss Prevention (DLP)
  • Data Masking and Redaction
  • Security Information and Event Management (SIEMs)
  • Security orchestration and incident response automation

By understanding the latest developments in WAF technology, you can better incorporate and integrate it with your existing and planned technology deployments, including cloud, on-premises, and hybrid topologies.

The Rise of Botnets

First, let's talk about botnets. These are networks of compromised computers controlled by hackers. Initially, botnets were used mainly for Distributed Denial of Service (DDoS) attacks. However, hackers have now industrialized botnets to automate attacks for different purposes. They can grow the size of the botnet, execute DDoS attacks, or even carry out surgical strikes against websites and applications.

What's more, hackers have started offering botnets-as-a-service on the dark web. This means that attackers can rent botnets to execute their own campaigns. It's a structured, albeit illegitimate, business model that's making cyber attacks more efficient and widespread.

The Complexity of Code and the Use of Third-Party Libraries

The past decade has seen an explosion of open-source code. This has given developers a plethora of choices about which libraries to use to minimize development effort. However, this has also opened up new avenues for attackers.

Attackers are constantly looking for vulnerabilities in commonly used libraries like OpenSSL. A vulnerability in such a common core security library can have serious security implications. Remember the Heartbleed Bug? It was a serious vulnerability in the OpenSSL cryptographic software library that allowed for the theft of information protected by SSL and Transport Layer Security (TLS) protocols.

The Advent of Microservices

Another trend in the development world is the use of microservices. These are small, discrete services that allow development teams to deploy new functionality iteratively and in quick, small sprints. However, each microservice potentially represents its own unique attack surface that can be exploited.

Developers often incorporate third-party libraries in these microservices as needed. This can introduce more individual attack surfaces and vulnerable third-party libraries, exposing your organization to additional risk.

The Challenge of Secure Application Development

Application development is like the Wild West. Developers have full freedom to pull third-party libraries from anywhere on the web. But what if they're using versions of these libraries that have been modified with backdoors or other malicious code? Or what if they're using older versions with known vulnerabilities?

The good news is that with the advent of DevOps, the ability to lock down source libraries through programmatically managed pipelines and build processes has greatly increased. However, many development teams are still in the early phases of adopting mature DevOps deployments. In the meantime, this needs to be balanced with compensating controls like regular vulnerability scanning or virtual patching and attack detection by using Web Application Firewalls (WAFs).

The Threat of Compromised Credentials

It's estimated that 50% of cyberattacks involve compromised credentials. The system of using usernames and passwords to gain access to websites is fundamentally broken, but it continues to perpetuate. For attackers, using compromised credentials is the simplest way in the front door. They want to expend the least amount of effort.

Compromised Accounts: The Dark Side of the Web

When we talk about compromised accounts, we're usually referring to end-user accounts. These are the accounts that everyday users like you and me have with various online services. When a major service like Yahoo! gets hacked, the stolen credentials can be used in what's known as credential stuffing attacks.

In these attacks, bots are configured to replace the variables of username and password with the compromised data. These bots can then attempt to gain access to other services using these stolen credentials. The scary part? These repositories of hacked usernames and passwords can be found on the dark web and sold to anyone willing to pay in Bitcoin. And they're not just sold once - they can be resold over and over again.

Sensitive and Privileged Accounts: A Hacker's Goldmine

Another type of account that can be compromised is a sensitive or privileged account. These are accounts that have administrative privileges over operating systems, databases, and network devices. If a hacker can gain access to these accounts, they can gain full control of a system or network.

A hacker might do this by escalating their privileges. For example, if a hacker gains access to a non-privileged account, they can then attempt to escalate their privileges by exploiting vulnerabilities in the system. This could involve identifying vulnerable software versions, researching known exploits, and then using these exploits to gain higher-level access.

Types of Attacks: Understanding the Threat Landscape

Now that we've covered the types of accounts that can be compromised let's move on to the types of attacks that can occur. For this, we'll use the Open Web Application Security Project's (OWASP) Top 10 list, which is the industry standard for categorizing application-level vulnerabilities and attacks.

The OWASP Top 10 includes:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Each of these attacks represents a different way that a hacker can exploit vulnerabilities in an application or system. By understanding these attacks, we can better protect ourselves and our systems.


In the world of cybersecurity, knowledge is power. By understanding the types of accounts that can be compromised and the types of attacks that can occur, we can better protect ourselves and our systems. Remember, the first step towards protection is understanding the threats we face. Stay safe out there!