What is Web Application Firewall (WAF)? Types & Benefits

|
Posted on

Add a critical layer of security to your network by protecting applications from attack. 

Did you know that over two thirds of web applications have critical security flaws? That is what Veracode found when it scanned 130,000 applications for vulnerabilities, finding some 68% had a flaw that fell into the OWASP Top 10. 

OWASP, or The Open Web Application Security Project, produces an annual list of the top 10 exploits being seen in the wild. 

Web applications are a major target for cybercriminals who explicitly exploit known vulnerabilities. Not all these web application security flaws have fixes, and not all fixes are implemented by IT anyway, leaving these applications sitting ducks. 

It doesn’t have to be that way. A Web Application Firewall, or WAF, can block hackers from your software the same way a perimeter firewall blocks network intrusion.  

So, what is a Web Application Firewall? On the surface it seems a bit self-explanatory, but the devil is in the WAF details. 

We’ll look at these details, show how a Web Application Firewall blocks attacks and demonstrate how to get started. 

The Commercial App Attack Surface  

The fundamental challenge that IT faces is that web apps have vulnerabilities which are not limited to home-grown applications – we regularly see reporting of vulnerabilities in market leading applications. As we can see from industry analysis, the number of apps with vulnerabilities is significant and nobody can be complacent about how secure their application is. 

You may ask why would hackers attack me? I’m not a mega-corp, I don’t hold state secrets – I don’t have anything of value for them. 

It’s more complex than that. You see, hackers are often bent on extraction – more simply put, at the stealing of application data. Of course, items like credit cardholder data are obviously of value, but hackers also see value in stealing information such as customer records or lists of usernames, as this can be used to craft other web attacks. 


Extortion via ransomware or threats to publish sensitive data is a key motivator. Again, the size or type of the organization is not necessarily significant to make these attempts worthwhile. 

Meanwhile, vectoring is when your compromised web application is used to deliver malware to visiting clients. While no actual damage is done to your application on the surface, there is the potential for reputational damage and having your website blocked by search engines and client protection software.   

What is a Web Application Firewall (WAF)? 

So what is a web application firewall? The folks that make the LoadMaster load balancing solution know the answer – because we have one! 

“A Web Application Firewall (WAF) builds on and enhances traditional firewall security protection. Traditional firewalls don't stop encrypted HTTPS traffic as they have no visibility of the content within. A Web Application Firewall, which is logically placed between standard firewalls and web servers, operates at Layer 7 of the network stack. It can decrypt HTTPS web traffic and inspect the data content. In conjunction with lists of known attack methods, the Web Application Firewall can deny access to web servers when potentially malicious requests are detected,” the Progress/Kemp glossary explained.

What Are the Benefits of a Web Application Firewall? 

Web application firewall is a critical component of modern multi-layered defenses because they provide the following:
  • Defense for web applications - Businesses and other organizations depend on web applications for critical operations and customer engagement, making them prime targets for cyberattacks. WAFs act as a frontline defense, sitting directly in the web traffic path between endpoint devices and web application servers, looking for security issues in the traffic before it can reach the applications.
  • Security that goes beyond traditional defenses – WAFs analyze how web traffic using HTTP/HTTPS protocols works and inspect these network packets to look for threats. This means that WAFs can prevent threat exploits that tools like network firewalls can’t detect. It’s worth repeating that WAFs do not replace traditional network firewalls. It augments them (and other security tools) by adding additional security inspections and checking network traffic in a different and complementary way.

What is the Difference Between a Web Application Firewall (WAF) and a Firewall? 

A web application firewall enhances and complements traditional firewalls which have no visibility into the content of encrypted HTTPS traffic and therefore can’t block dangerous HTTPs streams. 

In contrast to traditional firewalls, WAF operates at Layer 7 of the network stack between standard firewalls and web servers, decrypting HTTPS traffic and inspecting the data within. With anomaly detection and lists of attack methods, the web application firewall can block access to web servers when malicious traffic activity is spotted. 

Why Does a Web Application Need a Firewall? 

Protecting against vulnerabilities is a multi-layer challenge and one of the most significant layers is the Web Application Firewall or WAF. 

So how does a WAF help? A WAF is a proxy that sits between users and a web application, inspects all network traffic for malicious attempts to exploit vulnerabilities and can block such attempts from getting to the web application. 

As part of a layered security approach, a WAF can deliver logging and event information to external security and monitoring services. The WAF technology uses a set of rules that provide protection against a wide range of attacks – this set of rules has evolved over the years to provide coverage for new and emerging threats. In the case of the WAF available with Progress/Kemp LoadMaster, these security rules are updated automatically on a regular basis. 

Diagram explaining how a Web Application Firewall (WAF) works. It shows traffic flowing through a firewall for inspection, with connections to logging and SIEM systems, rule updates, and destination servers.


 

 

 

 

 

 

 

 

 



Using the LoadMaster WAF as an example, this WAF’s rules provide protection against the major vulnerabilities identified in the OWASP TOP 10. 

OWASP are an independent, industry supported group who focus on application security and annually conduct research into application security. Over the years, the vulnerabilities in the OWASP top 10 have changed as new exploits become more common and older exploits have been mitigated over the years as application vendors fix vulnerabilities. The rules provided by LoadMaster include these older vulnerabilities, alongside application specific protection. 

How is a Web Application Firewall Used?

Let’s take a quick look at some of these vulnerabilities and how they are exploited, starting with SQL Injection. 

Example of an SQL injection attack. A form is filled with “John” as the first name and a malicious SQL string in the surname field. The resulting query shown is: SELECT * FROM Users WHERE Name =

 

 


 

 

 


 

 

 

 

The above illustration shows what an SQL injection attack looks like. An SQL injection attack attempts to modify the behavior of an SQL statement at the back end server by injecting additional SQL commands. 

Here we have a form that takes in variables and constructs an SQL statement based on the values in the form fields. However, if a malicious actor injects some additional SQL via the surname field, the results returned are completely different. 

As 1 = 1 is always true, the statement with a family name will return true: John = John. As a result, the SQL statement is actually selecting all users with the first name John – not what was originally intended by the developer. 

This simplistic example shows how a web application may be exploited to deliver more data than was intended. Variants of this attack could actually execute SQL drop statements to delete parts of the database. 

Now, let’s peek at Broken Access Control exploits. With Broken Access Control, a user can act on resources outside their intended permissions. 

In the below example, we see a normal access where a user accesses their own account. However, if they modify the parameter on the HTTP request, they are allowed to access someone else’s account. Again, not exactly a desirable outcome. 

Example showing a user logged in with account number 12345 accessing their account via a URL. The URL includes the parameter acctno=12345. In the second part, the user modifies the URL to use acctno=67891, changing the account number parameter in the browser address bar.

 

 

 

 


 

 

 

 




These two are very simplistic – applications should be coded much better than this - but they may still be susceptible to well-crafted attacks designed to exploit a very specific weakness.

Application weaknesses may be inherited from 3rd party or open-source components, which when updated may introduce new vulnerabilities. This is why application protection should be ongoing and not just based on periodical security checks such as app penetration tests. 

What are the Types of Web Application Firewalls? 

There are three main types of web application firewalls: 

  • Cloud-based WAFs are delivered as a service and the firewall exists completely in the cloud.
  • Hardware-based WAFs are hardware devices deployed on a LAN.
  • Software-based WAFs are generally deployed via a virtual machine and can run in the cloud or on-premises. 

WAF Deployment Modes 

The Kemp LoadMaster WAF can be hardware or cloud-based solution, though the cloud is the preferred method. “Organizations can deploy a network-based web application firewall either as a dedicated instance or as a component alongside other LoadMaster functionality like load balancing. Virtual, machine-based network WAF deployment is becoming the norm, but hardware-based options are available if required. Network firewalls have the advantage of lower network latency for protected applications due to the proximity of back-end servers. However, there is management overhead due to deploying another device or virtual machine instance,” the Kemp Web Application Firewall (WAF) page argued. 

The cloud is the hot way to go. “Cloud-based web application firewall deployment allows all the benefits of public cloud deployment. Capacity can flex up and down as required. IT teams can eliminate the management overhead burden of hosting infrastructure on-premises,” the page contends. 

What Web Application Firewall Should I Use? 

The Kemp WAF offers in-depth defense for web servers, applications and your website, protecting both custom and off-the-shelf applications from vulnerabilities such as SQL injection and cross-site scripting (XSS).  

With Kemp WAF, IT can create security profiles for each application and comes equipped with pre-integrated rulesets for common attack vectors, stopping specific traffic patterns indicative of malfeasance from reaching your applications — without modifying your applications or infrastructure.  

Here is a detailed look as how the web application firewall works.

Diagram of a web application firewall filtering user requests, dropping invalid ones, and forwarding valid traffic to destinations like data centers, cloud, and storage. Includes policy updates and logging flow.

Protection Against OWASP Top 10 Attacks 

As mentioned earlier, the Open Web Application Security Project (OWASP) Top 10  identifies the most common and critical web application attacks. LoadMaster WAF has pre-defined rulesets to fight these very vulnerabilities. Built-in WAF protections include: 

  • Cookie Tampering 
  • Injection Attacks
  • Cross-Site Scripting (XSS)
  • Data Loss Prevention (DLP)
  • Buffer Overflow Protection
  • Access Control
  • Security Misconfiguration
  • Real-Time Protection
  • Denial of Service Protection
  • Botnet Attack Preventions
  • Web-Based Malware Protection
  • Zero-Day Threats 

Listen and Learn 

Learn more about web application firewalls and get the skinny on setting up a WAF by tuning into our Web Application Firewall 101: What is WAF? webinar
Posted on

Maurice McMullin

Maurice McMullin was a Principal Product Marketing Manager at Progress Kemp.

Next

Follow us via
RSS Feed
 
Topics

Load Balancer

Application Security

LoadMaster 360

Cloud

Kubernetes

Application Experience

Dell ECS

Compliance

Useful Links
Progress Software Logo

Kemp is part of the Progress product portfolio. Progress is the leading provider of application development and digital experience technologies.

Copyright © 2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Do Not Sell or Share My Personal Information

Powered by Progress Sitefinity