Highest Voted 'waf' Questions - IT Security Stack Exchange

28

votes

2 answers

What are possible security problems of enabling HTTP2?

I want to enable HTTP2 for several web servers but I'm worried about the possible security implications. I think about something like: HTTP2 implementations are maybe more error prone than mature HTTP1 implementations so for example a zero-day is…

webserver waf http2

asked Jul 12 '17 at 06:34

40F4

932
6
16

25

votes

9 answers

Is a web application firewall necessary if the application is secure?

Recently I've been reading about Web application firewalls and the fact that they protect against most frequent attacks like injections, XSS or CSRF. However, a good application should already be immune against these exploits, so why do companies…

web-application waf

asked Mar 20 '14 at 16:46

user42178

23

votes

1 answer

What is a Web Application Firewall?

What is a Web Application Firewall (WAF) and what are some of the things to look for in an effective one? Why would you deploy a WAF instead of just an IPS?

web-application firewalls waf

asked Nov 16 '10 at 22:05

Sim

1,227
1
13
21

16

votes

5 answers

Application security training for developers

I am trying to establish an application security group within an organization and although there is a plethora of courses for penetration testers, i fail to find an equal amount of training courses for developers / QA testers The team i work with is…

appsec professional-education owasp waf

asked Oct 25 '12 at 23:46

Dimitrios Stergiou

391
3
7

16

votes

1 answer

What is a "Trailing Host Header", and how can I test for it?

My team's been doing some research into WAF protections based upon a WAF testing tool released at Black Hat this year. In the tool, there's a list of hostname evasion tests - that are really just an outline of ideas for testing manually. There's…

http waf

asked Aug 17 '12 at 19:37

bethlakshmi

11,606
1
27
58

14

votes

3 answers

How do I get started using ESAPI WAF?

I've been to the OWASP Enterprise Security API (Java Edition) Google Groups page and found this information missing.

appsec owasp waf esapi

asked Nov 12 '10 at 17:35

Tim Troy

341
3
6

13

votes

1 answer

WAF Process Creation for Integration of IT and Business

A client has asked me to help them out with their WAF processes. Currently they have a few critical web applications being protected by a couple of WAFs. I have managed to get the WAFs tuned and ready for production. The company is fairly large and…

web-application corporate-policy waf operations opsec

asked Jul 22 '13 at 15:04

Lex

4,247
4
19
27

12

votes

2 answers

When performing a PenTest against a WAF-protected site, what should a Pentester know to enhance the Test-Quality?

I'm running a WAF infront of a bunch of Webapps and we have the Apps regulary tested, and we want to improve our Tests by presenting some kind of livelogs to the testers. What informations, from Server-View, could help the Pentesters? The objective…

penetration-test waf

asked Jul 09 '13 at 08:45

that guy from over there

3,476
17
26

12

votes

2 answers

Secure HTTP Headers - where should be implemented, WAF or code level?

I have a REST API exposed to the Internet and another application with form-based authentication. These apps are behind a Web Application Firewall. Question is, where I should implement the below security HTTP headers, in the WAF or at the code…

web-application xss http waf header

asked Jan 20 '20 at 08:09

Mathev

151
2
7

11

votes

4 answers

Why should I use whitelist on a WAF?

I was studying different WAFs, from open-source (such as ModSecurity and NAXSI) to commercial solutions (Imperva, Citrix, Fortinet, etc.). Many people state that having a whitelist-based WAF is far more efficient than blacklist. I basically…

web-application appsec waf

asked Jan 21 '15 at 13:21

Quentin Mollard

111
1
5

11

votes

1 answer

If a WAF is compromised, can the adversary view all the traffic in clear text provided WAF uses SSL cert to decrypt it?

I understand Web Application Layer Firewall (WAF) uses an SSL cert to decrypt and inspect the traffic before passing to the backend server. If an attacker could gain admin access to both the WAF application and the host server, is there any way they…

tls decryption tls-intercept waf

asked Nov 01 '21 at 19:26

sxmad

115
5

10

votes

1 answer

Is there a web application firewall equivalent of virustotal?

I'm wondering if there is a web application firewall (WAF) equivalent of VirusTotal? A site where I can throw for example injection strings, exploits or xss, and it will tell me what the default setups for different WAFs will detect. I know there is…

appsec web-application waf

asked Jun 07 '11 at 21:16

Chris Dale

16,119
10
56
97

10

votes

3 answers

Evasion techiques for WAFs

Are there any documented techniques for evading Web application firewall for testing WAF rule configurations?

firewalls waf

asked Aug 09 '12 at 09:04

Ali Ahmad

4,784
8
35
61

7

votes

2 answers

How web application firewalls protect application from DDoS attacks?

How to protect a web application from DDoS by the implementation of Web Application firewalls? How effective is this method?

denial-of-service ddos iptables waf

asked Nov 10 '14 at 09:36

Anonymous Platypus

1,392
3
18
33

7

votes

1 answer

Isn't a HIDS, NIDS and WAF complementary?

Assume this scenario: Someone trying to hack a website. Simply put: www.site.com/example.php?= A HIDS would see this attempt in Apache's access log, a NIDS would see this attempt in packet's HTTP section and the WAF in the…

web-application attack-prevention ids waf

asked Mar 17 '14 at 13:06

The Illusive Man

10,487
16
56
88

Questions tagged [waf]