*** Welcome to piglix ***

Web application firewall


A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS) and security misconfigurations.

Application firewalls, which control input, output, and access from applications or services, were first developed in the early 1990s by Gene Spafford, Bill Cheswick, and Marcus Ranum. Their product was largely a network based Firewall but could handle few applications (like FTP or RSH) and was released to market by DEC. Within the next few years, the products were further developed by other researchers to provide a stable firewall software for others to build on, and raised the bar for the industry.

Dedicated web application firewalls entered the market later in the decade when web server hacker attacks were becoming much more noticeable.

The first company to offer a dedicated web application firewall was Perfecto Technologies with its AppShield product, which focused on the e-commerce market and protected against illegal web page character entries. Perfecto renamed itself as Sanctum and named the top ten web application hacking techniques and laid the foundations for the WAF market:

In 2002, the open source project ModSecurity was formed in order to make WAF technology more accessible and solve the obstacles within the industry like business cases, cost barriers, and proprietary rule-sets. ModSecurity finalized a core rule set for protecting Web Applications, based on the OASIS Web Application Security Technical Committee’s (WAS TC) vulnerability work. In 2003, their work was expanded and standardized through the Open Web Application Security Project’s (OWASP) Top 10 List, an annual ranking for web security vulnerabilities. This list would become the industry benchmark for many compliance themes.


...
Wikipedia

...