DEV Community

Lulu
Lulu

Posted on

Exploring WAFs: How SafeLine Defends Against Web Attacks

A Web Application Firewall (WAF), as the name suggests, is a security device designed for blocking potential threats. WAFs are commonly used to protect web applications that are exposed to the internet. In this article, we’ll explore the application of WAFs by testing SafeLine WAF.

SafeLine WAF Testing

First, I set up a basic HTTP server and added SafeLine WAF as a proxy in the backend.

Image description

Image description

SQL Injection Test (1=1):

Image description
The attack was successfully blocked.

Malicious File Uploads (Webshells):

Image description
Only PHP and ASPX webshells were blocked. JSP and other types were still accessible, but that’s understandable—after all, this is a WAF, not an endpoint security solution.

Directory Scanning with Dirsearch:
Image description

While tools like AWVS would trigger a block, I tested with Goby (over 1000 PoCs). It didn’t trigger an immediate block but did log the requests. SafeLine does allow setting a threshold to block excessive requests, so that’s a good backup for handling various scanners. The logs still prove useful for detecting ongoing scans.

Here’s a look at the blocked attacks in the backend:

Image description

This article mainly focuses on WAF functionality rather than an in-depth review of SafeLine’s features. SafeLine WAF is an excellent project overall, particularly suitable for small and medium-sized websites. It’s practical, effective, and easy to understand.


WAF Functional Overview

From the tests above, we can summarize that the primary function of a WAF is to block attacks on the web layer.

1. Types of Attacks Blocked

  • Injection Attacks:

    Most WAFs target injection-based attacks, such as SQL injection. These attacks exploit poorly filtered parameters. WAFs can detect potential SQL injections by inspecting the parameters, although bypassing a WAF is often a challenge for security professionals. Another example is XSS (Cross-Site Scripting), which relies on specific tags (e.g., <, >). Since most websites don’t need users to input these characters, XSS attacks are easier to detect.

  • Request Inspection (Headers, Cookies):

    WAFs also examine headers, cookies, request paths, and even request methods or proxies to identify potential threats.

2. Rule Sets

WAFs operate using a combination of pre-defined and custom rule sets for threat detection:

  • Predefined Rule Sets:

    These rules, provided by the vendor, cover common threats like SQL injection payloads, XSS scripts, and known webshells. They are regularly updated with threat intelligence from the vendor.

  • Custom Rule Sets:

    These allow users to create specific rules based on their unique needs. For example, if a web application has a known vulnerability in a particular parameter but the user cannot modify the code, they can add a custom rule to block attacks targeting that parameter.

3. Blacklists/Whitelists

Since no rule set is perfect, WAFs may occasionally block legitimate traffic. In such cases, a whitelist can be added for specific IPs. Blacklists, on the other hand, immediately block known malicious IPs, offering an extra layer of protection in case the predefined rules don’t catch them.

Top comments (0)