A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
Application firewalls, which control input, output, and access from applications or services, were first developed in the early 1990s by Gene Spafford, Bill Cheswick, and Marcus Ranum. Their product was largely a network-based firewall but could handle a few applications (like FTP or RSH) and was released to market by DEC. Within the next few years, the products were further developed by other researchers to provide stable firewall software for others to build on, and raised the bar for the industry.
Dedicated web application firewalls entered the market later in the decade when web server hacker attacks were becoming much more noticeable.
The first company to offer a dedicated web application firewall was Perfecto Technologies with its AppShield product, which focused on the e-commerce market and protected against illegal web page character entries. Perfecto renamed itself as Sanctum and named the top ten web application hacking techniques and laid the foundations for the WAF market:
- Hidden field manipulation
- Cookie poisoning
- Parameter tampering
- Buffer overflow
- Cross site scripting (XSS)
- Backdoor or debug options
- Stealth commanding
- Forced browsing
- Third party misconfigurations
- Known vulnerabilities