WAF - The role of Web Application Firewalls in secure application delivery
Five security attacks WAFs can help you with...
There seems to be a lot of confusion about the role of a Web Application Firewall (WAF) in application security, and what types of threat a WAF can help mitigate in your deployment.
When and how should you use a Web Application Firewall?
Some network engineers think that Web Application Firewalls (WAFs) are so complicated, they've been known to run away and hide for days when they've encountered one.
Why you shouldn't lose sleep over the commercial end-of-life of ModSecurity
The ModSecurity web application firewall (WAF) engine is set to go end-of-life (EOL) on 1 July 2024.
Should an ADC be your first line of defense against Denial of Service (DoS) attacks?
There are two schools of thought on this: ‘yes, it should’ and ‘no, it shouldn't’. Let's look at the arguments both for and against.
OWASP doesn't want you to have crAPI security
Here's what we learned from crAPI about API security, and how a Web Application Firewall (WAF) can help you take things one step further.
Report back from the OWASP Core Rule Set Community Summit and OWASP Global AppSec 2023: The WAF conundrum
I had the privilege of speaking in Dublin at this year's OWASP Core Rule Set Community Summit before then attending OWASP Global AppSec immediately afterwards.
Handling large requests with a Web Application Firewall (WAF) while avoiding Denial of Service (DoS) attacks
Sometimes, we need to pass unusually large HTTP requests through our WAF stack.
How to rate limit with HAProxy Stick Tables and the WAF
A while ago I was asked if it would be possible to apply some general rate limiting in HAProxy and the WAF, in order to help prevent DOS-style attacks on a customer's servers.
ModSecurity DoS vulnerability (CVE-2021-42717)
All WAF vendors and services using ModSecurity are affected by this vulnerability (unless they have the vulnerable piece of code disabled, by chance).
Simplifying web application security with the Core Rule Set v3
A WAF isn't a magic bullet, but, as part of a defense in depth strategy, a properly configured WAF should catch and stop common, everyday attacks.
Extending ModSecurity: How to add completely custom WAF functionality
In this example, I’m going to add a new transformation function to ModSecurity to calculate the Scrabble score of a variable. This will allow us to block HTTP requests containing query string parameters with a Scrabble score above a chosen threshold.
ModSecurity and the Case of the Never Decreasing Variables
In the world of web application security, it can be invaluable to consider a user's behaviour across the entire duration of their web app session.
How to train your Web Application Firewall (WAF)
Let's look at the best way to use the WAF with as little pain as possible!
Secure connections: encrypt, inspect and decrypt traffic when using a WAF
We’re often asked how to configure our load balancer to protect both web servers and users.
Security through geography: blocking traffic by country, continent, or IP address using ModSecurity
Imagine you’re running a business and you often see malicious-looking web traffic from the other side of the globe hitting your website.
Why use a WAF? Because what doesn't kill you makes you stronger
Our helpdesk often encounters confusion about Web Application Firewalls, or WAFs - what they are, how to use them, and what issues they can potentially cause.
Brute force login: Simple protection techniques with the ModSecurity WAF
The web-based login to your application is a juicy target for hackers. And once they get past the login, they can cause you some serious pain.
Darktrace: When looks aren't everything
An engineer at a business using Darktrace, confessed that many IT staff ignored the pricey security software because it sent so many false alerts.
HAProxy critical security update — to avoid simple(ish) DoS attack (20 September 2018)
A critical security issue has been found in HAProxy, leaving certain systems vulnerable to remote attack. We want to keep you informed, and we understand that this news might cause you some anxiety. But be reassured - most of our customers won’t be affected.
Nutanix Ready, a great platform now comes with a certified load balancer.
We have built upon our existing strengths in virtualized environments to become Nutanix certified, with the addition of support for Nutanix AHV positions.
Load Balancing Web Servers with OWASP Top 10 WAF in Azure
In the Azure Management Portal, select the Virtual Machines option, click on the newly deployed Load Balancer VM, click on Network interfaces and then select the network interface attached to the load balancer, then click IP configurations and ensure that IP forwarding is Enabled.
Load Balancing Apache Web Servers with OWASP Top 10 WAF in Azure
The WAF addresses the OWASP Top 10 vulnerabilities and is very quick and simple to deploy.
Security through obscurity - double login protection made easy...
Security through obscurity is not a great idea when it is your ONLY protection technique. For example moving your SSH port from 22 -> 23 won't fool any hackers for long! However, I've always liked putting a 'double login' in front of important web sites to frustrate simple automated hacking tools.
Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure
SSL offload is handled by STunnel, while HAProxy handles back-end server re-encryption.
How to stop web form spam — use a simple honey pot trap in ModSecurity...
How frustrating do you find it when hackers or robots fill in your website forms with "Buy Viagra Now!" type spam?