Questions tagged [waf]
WAF stands for Web Application Layer Firewall. WAF is an application layer firewall that is meant to secure the back end web server by monitoring every HTTP request and response to and from the server.
148 questions
2
votes
1
answer
628
views
Does geo blocking whole countries objectively increase security? [duplicate]
I often see whole countries being blocked using GEO-IP blocks in network firewalls and even in web application firewalls. Often with great anecdotal success in reducing the amount of registered ...
- 7,715
0
votes
1
answer
114
views
Is WAF fingerprinting a security threat, and can it be obfuscated?
Various tools, such as WAFW00F, can be used to detect the presence, and often even the type, of WAF deployed on a website.
And according to this article:
[WAF fingerprinting] works by analysing the ...
- 4,795
2
votes
1
answer
119
views
ModSecurity Condition Based Block Mode?
I'm playing with ModSecurity and need help. I'm trying to add a condition in the conf file where if there is specific header in the request then the SecRuleEngine should be On else it should be ...
1
vote
0
answers
72
views
Akmai WAF protecting against request smuggling
Okay so I've seen lot of articles & spent a pretty long while looking around, couldn't find a straight answer for this.
Does Akmai WAF always protect against request smuggling attacks? can a user ...
- 163
1
vote
2
answers
93
views
Should IP behind Azure Traffic Manager be treated as private?
I was wondering should IP behind Traffic Manager treated like IP behind WAF (e.g Cloudflare). Is it okay if one were able to access that real IP directly?
- 90
1
vote
0
answers
66
views
3rd-Party CDN SSL Inspection for Financial/Banking API Traffics
We have 3rd-Party CDN in front of Financial/Banking APIs which involves sensitive data, login, access token, cookies, etc.
We would like to leverage WAF and SSL Inspection capability of CDN. This ...
- 13
0
votes
0
answers
71
views
How to add accounts management to a legacy blackbox application?
I have a legacy non-commercial (in-house) application that is distributed over several workstations on a private VLAN. I have to make it conform to some cybersecurity standards, but can barely modify ...
- 627
0
votes
1
answer
145
views
Can API Security/WAF tools decrypt "mirrored" traffic?
We're doing a PoC on a new API Security/WAF tool, and we're planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we'll send the mirrored traffic ...
- 3
0
votes
0
answers
165
views
Problem bypassing a PHP WAF for SQLi
I am working to bypass this WAF, but I have some problems.
$args_arr=array(
'sql'=>"[^\\{\\s]{1}(\\s|\\b)+(?:select\\b|update\\b|insert(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+into\\b).+?...
2
votes
1
answer
666
views
Modsecurity blocks blocks my legit XHR POST request (403 forbidden)
I'm new to modsecurity topic so maybe my question is stupid but...
I have setup modsecurity on my new nginx/1.24.0 server with default set of recommended rules: coreruleset-3.3.0 and since then my ...
- 121
3
votes
1
answer
1k
views
How dangerous is disabling PHPHighRiskMethodsVariables_BODY from the AWS ACLs?
Problem
Users in my application are being blocked (by the AWS WAF) from uploading files with certain names. In the specific case I am trying to solve, the problematic string is .* System (.*).*.
...
- 33
31
votes
8
answers
13k
views
What's wrong with the use of a WAF (Web Application Firewall)?
My SaaS company recently lost the bid for an enterprise software licensing deal.
One of the reasons the prospect gave for not choosing us as a vendor was:
the use of a WAF
I'm not an information ...
- 311
2
votes
1
answer
1k
views
ModSecurity CRS, allow header `accept-charset`
I have ModSecurity v2 on apache with CRS v3.
Requests containing header accept-charset are blocked on paranoia level 1, I read this great discussion about the header and that on CRS v4 will be allowed ...
- 123
1
vote
1
answer
177
views
Do I need to protect my Azure Blobstorage with a WAF if all the contents inside are for public consumption?
Company policy states that all internet-facing components must be protected with a WAF. However, I have an Azure Blobstorage that stores public web assets. I don't think putting it behind a WAF makes ...
- 111
0
votes
1
answer
107
views
Can Caching cause my WAF logged events to drop?
I've been using Ninjafirewall on WordPress websites for a while.
I recently installed a new caching plugin on my main website and I noticed the firewall log which usually has around 5000 blocked ...
- 719