Web Application Firewall (WAF)

What is Web Application Firewall (WAF)?

A Web Application Firewall (WAF) is a security control that monitors, filters, and blocks HTTP/HTTPS traffic to and from web applications, protecting them from common web exploits such as SQL injection, cross-site scripting (XSS), command injection, and the vulnerabilities defined in the OWASP Top 10. Unlike a network firewall that operates at the network layer, a WAF operates at the application layer — understanding HTTP requests, responses, and the web application context to distinguish legitimate traffic from malicious payloads. WAFs are deployed as hardware appliances, software solutions, or cloud-based services (commonly called CDN-WAFs or cloud WAFs).

Description

WAFs enforce policies through two primary detection mechanisms. Signature-based detection matches incoming requests against patterns of known attack payloads — blocking requests that contain SQL injection strings, XSS payloads, or traversal sequences. Behavioral and anomaly-based detection identifies requests that deviate from normal application traffic patterns, such as unusually large request bodies, abnormal parameter combinations, or rate anomalies indicative of scanning or credential stuffing. Modern WAFs also integrate bot management — distinguishing between human users, legitimate crawlers, and malicious bots through device fingerprinting, behavioral analysis, and challenge mechanisms. The limitations of WAFs are as important to understand as their capabilities. WAFs are not a substitute for secure application development — a WAF can block known SQL injection patterns, but a novel variant or a business logic vulnerability (like broken access control) will bypass it. WAF bypass is a common penetration testing activity: attackers and testers use encoding variations, case manipulation, comment injection, and fragmented payloads to evade signature-based detection. API security is a known WAF gap: traditional WAF rules are designed for HTML form parameters, not JSON API payloads, and many WAF deployments have limited coverage for REST or GraphQL API traffic.

Usage and Examples

An e-commerce platform deploys a cloud WAF in front of its checkout application. The WAF successfully blocks automated SQL injection scanning and credential stuffing attacks that arrive continuously from botnets. During a penetration test, the tester identifies a business logic vulnerability in the coupon code validation — entering a negative quantity results in a negative price, effectively giving the attacker store credit. The WAF does not block this attack because the request contains no signature-matching malicious payload — it is a valid HTTP request exploiting application logic. This illustrates the WAF coverage gap that makes manual penetration testing essential even for WAF-protected applications. Security headers and Content Security Policy (CSP) work alongside WAFs as complementary browser-level security controls.

How Does This Relate to Penetration Testing?

WAF bypass testing is a standard component of application penetration testing engagements. Testers evaluate whether the WAF is correctly deployed and configured, whether its rules cover the application's specific technology stack and API patterns, and whether bypass techniques are effective against the deployed rule set. WAF bypass findings inform rule tuning — not just documenting that a WAF can be evaded, but specifying which bypass techniques work and how the rule set needs to change to block them. Testers also evaluate the application's security independent of the WAF: a vulnerability that exists in the application code will be exploitable if the WAF is ever misconfigured, bypassed, or removed, and application-layer fixes are always preferable to WAF mitigation alone. Evolve Security's Application Penetration Testing evaluates both WAF effectiveness and underlying application security — finding the vulnerabilities that signature-based controls miss.