Understanding How an Open Source WAF Monitor HTTP Requests

What is a WAF?

A Web Application Firewall (WAF) is designed to detect and block threats targeting web applications. It protects against attacks such as SQL injection, cross-site scripting (XSS), and other application-layer attacks.

Unlike traditional firewalls that provide a barrier between networks, a WAF specifically focuses on the HTTP/HTTPS traffic of web applications.

SafeLine WAF

SafeLine is a free and open source docker-based, easy to use, self-hosted web application firewall (WAF) that protects your website from cyber attacks such as SQL injection, XSS, OS command injection, CRLF injection, x path injection, RCE, XXE, SSRF, directory traversal, backdoors, brute force, http-flood, bot abused, among others.

How SafeLine Monitor HTTP Requests

1. Traffic Interception

The first step in the operation of an open source WAF is intercepting the HTTP traffic. This is typically done by positioning the WAF as a reverse proxy between the client and the web server. All incoming traffic to the web server passes through the WAF, allowing it to inspect and filter requests before they reach the application.

2. Request Analysis

Once the WAF intercepts the HTTP traffic, it performs a deep analysis of the request. This involves several layers of inspection:

• Header Inspection: Examines the HTTP headers for anomalies or malicious patterns.
• URL Inspection: Checks the URL for suspicious parameters or unusual patterns.
• Body Inspection: Analyzes the content of POST requests for potential threats.

3. Rule Matching

Open source WAFs use a set of predefined rules to detect malicious activity. These rules are often derived from community contributions and known threat signatures. When a request matches a rule, the WAF can take predefined actions, such as blocking the request or logging the event.

4. Anomaly Scoring

Some advanced open source WAFs employ anomaly scoring mechanisms. Each request is given a score based on its deviation from normal behavior. If the score exceeds a certain threshold, the WAF will take action, such as blocking the request or flagging it for further inspection.

5. Logging and Reporting

A critical feature of WAFs is logging and reporting. Every intercepted request, especially those deemed suspicious or malicious, is logged. These logs provide valuable insights into potential threats and can be used for further analysis and forensic investigation.

The above image is the HTTP request monitoring logic of SafeLine. It's quite clear and effective.

Conclusion

Open source WAFs play a crucial role in protecting web applications from a myriad of threats. By intercepting, analyzing, and filtering HTTP requests, they provide a robust layer of security. SafeLine is one of the tool that works very nice, said a SafeLine user from Chile.