Why Web Application Firewalls fail to protect



Firewall is software or firmware that enforces a set of rules about what data packets will be allowed to enter or leave a network. Firewalls are incorporated into a wide variety of networked devices to filter traffic and lower the risk that malicious packets traveling over the public internet can impact the security of a private network. Firewalls may also be purchased as stand-alone software applications.

Firewall works like a filter between your computer or network and the Internet. Everything else is not allowed. There are several different methods firewalls use to filter out information, and some are used in combination. These methods work at different layers of a network, which determines how specific the filtering options can be.




Firewalls act as an extra barrier on top of other security measures, such as antivirus software. However, hardware and software firewall systems work in slightly different manners.


Hardware firewall

Hardware firewall systems are independent of the computers they protect that filter the Internet as information passes into a computer. Most broadband Internet routers have their own firewall built in.

In general, hardware firewalls work by examining the data that flows in from the Internet and verifying whether that information is safe. Simple firewalls, known as packet filters, examine the data itself for information such as its location and its source. Then the information the firewall gathers is compared to a set list of permissions in order to determine whether the information should be dropped or allowed through. As hardware firewalls have become more advanced, they have gained the ability to examine more information.

These types of firewalls have their benefits for home and small businesses because they require little to no set-up, and multiple nodes (computers) can be protected from patching into the same router.


Hardware firewall


Software firewall

There are two main advantages that software firewall has over hardware ones. The first is that software firewall can monitor outgoing data traffic. Not only does this prevent a computer from becoming a bot or a zombie, but also it can prevent computers from broadcasting any other malware, such as worms or computer viruses.

The other advantage is that software firewalls are customizable. These programs can be adjusted to meet the needs of the user, such as if they need permissions to be eased up while they’re online gaming or watching an online video.

However, the main disadvantage to software firewalls is that they only protect one computer. Every computer must have its own licensed firewall product. On the other hand, a hardware firewall can protect every computer attached to it.


software firewall



Why Web Application Firewalls fail to protect

If there’s one constant in the modern era, besides the near-ubiquity of technology — or perhaps because of it — it’s security. Actually, it’s security breaches.

In the last 12 months alone, there have been attacks on LinkedIn, there was massive account fraud at Tesco Bank, and a DDoS attack on Singaporean ISP, StarHub.

Whether the breaches involve utility services, such as power stations or the websites and web-based applications which we all commonly use on a daily basis, it’s hard not to feel exposed, wondering if there is anything which we can do.

As a software developer, security is something which, I’ll be honest, concerns me yet I’ve not been as diligent with as I should be. But in recent times, it’s risen to near the top of my consciousness, alongside software craftsmanship.


Web Application Firewalls fail to protect



Use a Web Application Firewall

 The first idea that came to mind was to use a web application firewall (WAF). Firewalls have, for the longest time, been considered a critical line of defense against attacks from outside of an organization. Firewalls have, for the longest time, been considered a critical line of defense against attacks from outside of an organization.

A WAF is better than a standard firewall, as it can filter and inspect traffic analogous to a conversation for an application. As such, they’re a firewall customizable to the needs of a particular application.

However, they’re a mixed of a solution. For example, when a WAF inspects traffic, they have only limited contextual information to work with as they only see one raw packet at a time. This individual packet won’t mean a lot from an inspection perspective.

Consequently, using WAFs for application protection can be a rather brute-force — or blunt — approach. What’s more, they are hard to configure, unless you’re a security or networking expert, something not many software developers are. Then, in addition, firewall configurations need to be maintained. It’s not a set-and-forget affair.

But, they have the potential to block up to 62% of current attack vectors, such as SQL injection, Cross-Site Scripting (XSS), and Cross-site Request Forgery (CSRF).

What’s more, over the course of time, as the application evolves the configuration can be continuously refined. Then there’s their ability to perform virtual patching when a defect in an application is discovered. Virtual patches are a way to temporarily patch an application defect without having to change any application code.


Cross-Site Scripting



Web Application Firewalls Are Not Perfect

After investigating them further there may be more drawbacks than there are advantages — depending on your available budget.

They Can Generate False Positives and False Negatives

When inspecting traffic, WAFs assess packets against a set of predefined patterns to determine what to do with it. Let’s take the one below as an example, taken from an excellent talk on web application firewalls:


if ($path == “/admin”) {

if ($ipaddr == $internal_ipaddr)

[block request]


[allow request]


In this pattern the WAF is checking if the path requested within the application is /admin as well as the IP address of the client making the request. If the request is to /admin and, oddly, if the client’s IP address is on the internal network, then the request will be blocked. However, if the client’s IP address was from outside the network, then the request would be let through.

Here, we see an example of a rule that will generate a false negative. This is a rule where a malicious request was not correctly detected, and therefore not correctly defended against. Then there are false positives, where a request which is actually legitimate, are marked by the WAF as being malicious and therefore blocked.


Can Easily Be Bypassed

Now what about being able to bypass the protection which a WAF offers? Remember, that most WAFs use software, which in turn may have vulnerabilities, which can be abused. WAFs commonly do what’s referred to as fail open or fail close in the event of too much traffic.

A fail open is where the WAF reverts to monitoring only, or less, effectively letting all traffic through. A fail close is the opposite. All traffic is blocked. In either case, either by implementing a DoS or a DDoS attack, you could break through the WAF, or cause it to prevent access to the application entirely.

Then there are a number of other ways to bypass, or abuse, them or the rules which they implement. How about faking where the request is coming from, by sending an X-Forwarded-For header.

But let’s say that there was a rule that validated a field, but it was case-sensitive. You could send a custom request using mixed-case, and bypass the rule, allowing the request to get through to the protected application, perhaps breaking it. These are just a few ideas. There are an extensive number of others.


No Protection Against ZERO-Day Exploits

While WAFs can protect against known vulnerabilities, they can’t against 0-day exploits. A ZERO-day exploit is a vulnerability in an application which is unknown to an application vendor, yet is known to an attacker. The attacker can then make use of it to exploit the application, providing no opportunity for the vendor to rapidly defend against it. Given that, there is no way that a WAF could protect against these types of attacks.


The Complete Solution Cost

Despite the fact that WAFs are much more attuned to applications, that doesn’t mean that out-of-the-box they “Just Work”tm. Like standard firewalls, they need to be configured and maintained.

In some ways, they need even more work to be setup correctly than a standard firewall, as knowledge of the application is required to ensure that they protect the application properly.

In practice, WAF’s require both security and application experts to be set up and exploited to best effect. If you don’t have the expertise in-house, then you’re going to have to outsource the work. Given that, they’re not a cheap solution.








Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Data Analysis

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Internet Of Things Training in Bangalore

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Web Penetration Testing Company in Bangalore

Network Penetration Testing – NPT

Network Penetration Testing Service in Bangalore

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:










Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you