Introduction to Web Application Firewall (WAF)

[cronix]

The Most common Web Application Vulnerabilities:

* SQL Injection(SQLi)

* Cross-Site Scripting (XSS)

* Broken Authentication and Session Management

* Insecure Direct Object References

* Cross-Site Request Forgery (CSRF)

* Security Misconfiguration

* Insecure Cryptographic Storage

* Failure to Restrict URL Access

* Insufficient Transport Layer Protection

* Unvalidated Redirects and Forwards

The Web Application Firewall(WAF) must meat the following features:

* Protection Against Top Vulnerability(XSS,SQLi,..etc)

* Very Few False Positives (i.e., should NEVER disallow an authorized request)

* Strength of Default (Out of the Box) Defenses

* Power and Ease of Learn Mode

* Types of Vulnerabilities it can prevent.

* Detects disclosure and unauthorized content in outbound reply messages, such as credit-card and Social Security numbers.

* Both Positive and Negative Security model support.

* Simplified and Intuitive User Interface.

* Cluster mode support.

* High Performance (milliseconds latency).

* Complete Alerting, Forensics, Reporting capabilities.

* Web Services\XML support.

* Brute Force protection.

* Ability to Active (block and log), Passive (log only) and bypass the web trafic.

* Ability to keep individual users constrained to exactly what they have seen in the current session

* Ability to be configured to prevent ANY specific problem (i.e., Emergency Patches)

* Form Factor: Software vs. Hardware (Hardware generally preferred)

Top 10 Open Source Web Application Firefwall(WAF):

1. ModSecurity (Trustwave SpiderLabs) ModSecurity: Open Source Web Application Firewall

2. AQTRONIX WebKnight AQTRONIX

3. ESAPI WAF https://www.owasp.org/index.php/The_ESAPI_Web_Application_Firewall_%28ESAPI_WAF%29

4. WebCastellum WebCastellum - Open Source Web Application Firewall

5. BinarySec BinarySEC for Apache download - BinarySEC for Apache 2.3 - IceWalkers.com

6. GuardianJUMPERZ.NET J U M P E R Z . N E T - Home

7. OpenWAF openWAF - open source distributed web application firewall

8. Ironbee https://www.ironbee.com/

9. Profense ZION SECURITY

10. Smoothwall Smoothwall | Dynamic Web Content Filter | HTTPS & Mobile Filtering | Firewall | Anti-malware

Sursa: Ethical Hacking Tutorials |Penetration Testing Lab | Learn How to Hack |Free Hacking Tools

Concept de functionare si instructiuni de instalare pentru 2,3 dintre aplicatii: http://www.ipa.go.jp/security/vuln/documents/waf_en.pdf