A Study of Web Application Firewall Solutions

  • Stefan Prandl
  • Mihai Lazarescu
  • Duc-Son Pham
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)


Web application firewalls (WAFs) are the primary front-end protection mechanism for Internet-based infrastructure which is constantly under attack. This paper therefore aims to provide more insights into the performance of the most popular open-source WAFs, including ModSecurity, WebKnight, and Guardian, which we hope will complement existing knowledge. The key contribution of this work is an in-depth approach for conducting such a study. Specifically, we combine three testing frameworks: the Imperva’s proprietary benchmark, a generic benchmark using both FuzzDB and Burp test-beds, and testing for common vulnerabilities and exposures (CVE) known exploits. Our experiments show that open source WAFs are not yet totally reliable for protecting web applications despite many advances in the field. ModSecurity appears to be the most balanced open-source solution.


Web application firewalls Information security ModSecurity WebKnight Guardian Imperva WAF testing framework 


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Balock, R., Jaffery, T.: Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters. Technical report, Rhainfosec (2013), White PaperGoogle Scholar
  5. 5.
    Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 332–345. IEEE (2010)Google Scholar
  6. 6.
    Becher, M.: Web Application Firewalls. VDM Verlag, Saarbrücken (2007)Google Scholar
  7. 7.
    Bojinov, H., Bursztein, E., Boneh, D.: Xcs: cross channel scripting and its impact on web applications. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 420–431. ACM (2009)Google Scholar
  8. 8.
    Cabrera, H., Krstic, G., Petrushevski, S.: CloudFlare vs Incapsula: Round 2. Technical report, Zero Science Lab (2013). Accessed 16 July 2015
  9. 9.
    Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  10. 10.
    Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52. ACM (2004)Google Scholar
  11. 11.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: Proceedings of the IEEE Symposium on Security and Privacy. IEEE (2006)Google Scholar
  12. 12.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) Proceedings of the 20th IFIP International Information Security Conference, vol. 181, pp. 295–307. Springer, US (2005)Google Scholar
  13. 13.
    Tibom, P.: Incapsula vs. CloudFlare: Security Review & Comparison. Technical report, Personal Review (2012). Accessed 16 July 2015
  14. 14.
    Torrano-Gimenez, C., Perez-Villegas, A., Alvarez, G.: A self-learning anomaly-based web application firewall. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) Proceedings of the Conference on Computational Intelligence in Security for Information Systems, vol. 63, pp. 85–92. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Vernotte, A., Dadeau, F., Lebeau, F., Legeard, B., Peureux, F., Piat, F.: Efficient detection of multi-step cross-site scripting vulnerabilities. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 358–377. Springer, Heidelberg (2014) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of ComputingCurtin UniversityPerthAustralia

Personalised recommendations