Web application firewalls (WAF) have become a fixture of the computing landscape over the last twenty years or so. Indeed, some people probably can’t imagine the world without them, so ubiquitous they have become in filtering, monitoring and blocking traffic. How could any system possibly be secure without a WAF?

However, the reality is that the WAF hasn’t necessarily established itself as a method of security due to its unequalled qualities. It has simply been widely mandated. The WAF is, in fact, becoming somewhat antiquated, with the weaknesses of this approach to application security becoming increasingly obvious.

Zero-Day Exploits

The first reason for this is that WAFs struggle to deal with zero-day exploits. This is due to the particular idiosyncrasies associated with WAF technology. In order to keep WAFs up-to-date with intrusive zero-day attacks, it is necessary to exhaustively update the rules associated with a particular system. In the meantime, zero-day vulnerabilities can exploit any attack vectors that are not covered by the WAF’s rules[1] .

Regular Expression Issues

Another problem for WAFs is that their signatures are often represented using regular expressions. These are fine in theory, but in practice leave WAFs open to malicious code injections that are expressed in a different language. To put the meat on these bones, regular expressions are only capable of describing Type-3 languages – as referred to in Chomsky’s hierarchy – whereas software code is a context-sensitive Type-1 language [2] .

Replay Attacks

WAFs also struggle to cope with replay attacks. To explain these briefly, replay attacks involve a technique in which valid data transmission is maliciously or fraudulently repeated or delayed.[3] There are ways of preventing replay attacks, and mitigating their effectiveness, but WAFs are not the ideal solution.

The reason for this is that they’re only capable of detecting attacks injected into isolated web requests, meaning that they are impotent when faced with attacks that occur over multiple requests. This really means that WAFs are rather vulnerable when dealing with replay attacks.

Maintenance Issues

There is no doubt that maintenance of WAF networks is also labour-intensive. Web application firewalls need to be maintained once they have been set up, and this is a more consuming task than it might sound. Web applications are pretty malleable. They are constantly changing. Consider how often updates occur, how often new features are required by users, and how the general landscape of computing is constantly evolving. And then developers often wish to add new features just to satisfy their own curiosity, creativity and perfectionism!

When you combine all of these factors, it’s quite evident that web applications can change on a virtually daily basis. And when you have deployed a WAF as part of the overall security framework in your organisation, this means that features of it cannot be designed and implemented in isolation. Everything has to be considered in tandem with the WAF. Rest assured, this can be a major headache.

Blocking Valid Traffic

Another unwanted symptom of WAF installation can be the inadvertent blocking of legitimate traffic. This is often referred to as ‘false positives’.[4] While this may sound relatively innocuous, it can be disastrous for any organisation. Visitors to your website can be blocked from uploading media, benefiting from the functionality of applications, or even from purchasing products and services. Needless to say, this can be extremely bad for business!

And the only way to really combat this with a WAF setup is to run the bare minimum number of rules possible. But this could then make the network more vulnerable to other types of attack. It’s a difficult balancing act, for which there is ultimately no ideal solution.

Tailoring Rules Appropriately

It can therefore be tricky to tailor rules appropriately with any WAF system.[5] Overly prescriptive rules can result in a lot of false positives. But lax rule setting can leave a network over to attacks and abuse. Rules that seek out SQL keywords can end up being triggered by completely benign requests, and causing all sorts of mayhem.

DDoS Difficulties

And, finally, DDoS attacks can also pose problems for WAF setups. This is particularly worrying, as there have been numerous high profile examples of successful DDoS attacks, and attackers do not require a huge amount of technical knowledge to carry them out. So we can expect to see DDoS attacks become more prevalent in the coming years.

WAFs Don’t Work

In conclusion, WAFs are struggling to cope with the highly complex contemporary computing environment. They are increasingly beginning to look sluggish, inflexible, and ultimately unfit for purpose. It is only be acknowledging this, and seeking more sophisticated solutions, that we will create safer and slicker modern networks.


  1. Bobcares (2015). How we blocked zero-day malware attacks on websites using NAXSI firewall. [online]. Available at: https://bobcares.com/blog/how-we-blocked-zero-day-malware-attacks-on-websites-using-naxsi-firewall/

  2. Hopcroft, John E.; Motwani, Rajeev; Ullman, Jeffrey D. (2000). Introduction to Automata Theory, Languages, and Computation (2nd ed.). Addison-Wesley.

  3. PentaSecurity (2017). What Are Session Replay Attacks?. [online]. Available at: https://www.pentasecurity.com/blog/session-replay-attacks/

  4. Wickett, J. (2017). It’s Time to Break Up with Your WAF. DevOps.com. [online]. Available at: https://devops.com/time-break-waf/

  5. SECConsult (2017). Are Web Application Firewalls Useful? A Pentester’s View. [online]. Available at: https://www.sec-consult.com/en/blog/2012/10/are-web-application-firewalls-useful-a-pentesters-view/