WAF

What is a WAF?

Web Application Firewall (WAF) is a type of [[# Todo/Computer Science Done/Firewall]]. WAFs are deployed to protect a specific web application. WAFs work at layer 7 of the [[# Todo/Computer Science Done/OSI Model]].

WAFs and Proxy Firewalls are very closely related. Proxy firewalls are designed to protect clients, WAFs protect servers, and are deployed to protect a specific web application.

How does a WAF work?

Let’s imagine you’re a hacker trying to mess with twitter.com. You try and connect to twitter.com:

1. You will actually be connecting to a WAF of some sort.
2. The WAF acts like a [[Reverse Proxy]], protecting the web application servers from exposure by having clients pass through the WAF before reaching the web application servers.
3. The SSL connection will terminate at the WAF.
4. The WAF will inspect the HTTP traffic for known types of attacks (see details below), if the traffic is clean it will a pass it on to the web application servers (traffic may or may not be encrypted from the WAF to the web application servers).

What kind of attacks does a WAF protect against?

• SQL injection - a hacking technique used to extract sensitive information from a database.
• [[Cross-site Scripting]] - when malicious script is injected into the code of an otherwise trusted website, allowing potentially sensitive user data such as cookies to be accessed.
• Malicious file execution – a harmful technique which allows a person to execute code remotely after a user accepts a malicious file.

An analogy

If a Network [[# Todo/Computer Science Done/Firewall]] is like a bouncer, a WAF is like a smart bouncer. This smart bouncer isn’t just checking each person against a “Allow” and “Deny” list, he’ll look at them to see if they’ve drunk too much and are likely to cause trouble, or he’ll ask probing questions like “so where are you coming from and what are you going to be doing?”.