Why Do You Need a WAF?

WAF is essential for your APIs and web applications to be protected against zero-day, SQL injections and DDoS attacks. Learn more!

Paulo Moura - Technical Researcher
Why Do You Need a WAF?

Does your company use web applications? Then a Web Application Firewall (WAF) is an essential tool for protecting your business. After all, the volume and complexity of cyberattacks against this kind of application have never been higher, and with all the sensitive data that may be stored in them, security is essential.

The network firewall you already use plays a vital role in your defense but is useless when dealing with attacks against the application layer. You need tools specially designed to fight these threats, like a WAF.

What is a Web Application Firewall?

A WAF is a firewall that protects web applications by controlling and monitoring HTTP and HTTPS traffic. By using it, you can create a set of instant traffic analyses so that threats such as Cross-Site Scripting, SQL injections, and DDoS are identified and mitigated before reaching your application.


Unlike a traditional firewall, which operates on the network layer and aims to avoid unauthorized access or attacks on private networks following a logic previously implemented by the firewall administrator—which we call “stateless”—, the WAF protects the application components exposed to the web using a different approach.

Therefore, the WAF does not replace a network firewall but works as a complement. The WAF performs a real-time evaluation of whether a request fits into known attack patterns from an independent base of administrator actions—a type of logic known as “stateful.” In it, the WAF considers all pre-configurations of defined traffic profiles and performs their classification.

How Does a Web Application Firewall Work?

The implementation of a WAF happens between the web application and the Internet. When a request crosses the network and transport layers (3 and 4) and reaches the application layer (7), the WAF, following a set of rules, filters the traffic, blocking requests that represent potential threats.


Imagine your application as a concert or a sporting event. To be admitted, participants must first go through access control, where they identify themselves, show their tickets, go through a metal detector, etc.

However, there’s a sector reserved for guests, and they must meet some criteria to gain access, otherwise their entry will be denied. Concerning web applications, when a user doesn’t meet the requirements that qualify them as legitimate, their request is blocked.

What Kinds of Attacks Can a WAF Prevent?


The OWASP (Open Web Application Security Project) initiative maintains a document popularly known as the “OWASP Top 10”, which “represents a broad consensus about the most critical security risks for web applications,” besides being “globally recognized by developers as the first step to more secure coding”.

The OWASP list covers attack vectors that represent the largest share of cybersecurity events, like SQL injections, Cross-Site Scripting (XSS) e XML External Entities (XXE). Therefore, a WAF’s ability to prevent risks and threats related to the OWASP Top 10 should be considered a requirement.


Attacks from bots are characterized by automation; they are software programmed to execute a diverse set of malicious practices and techniques, like account takeover (ATO), API abuse, and DDoS. Nowadays, sophisticated bots can emulate human behavior to the point of raising doubts if an attack is really happening.

Is your website protected against bad bots? We have a free report that can help you find the answer.


Attacks that exploit a recently discovered vulnerability to attack a system. Cases like Log4Shell illustrate the effect of a zero-day attack and its worldwide repercussions. After all, the longer it takes to fix a vulnerability, the greater the risk of suffering a potentially catastrophic attack.


As mentioned above, DDoS attacks on the application layer can be caused by bots, and differentiating legitimate and malicious requests is a hard task. Usually, the aggressor’s goal is to bring down a web server using volume-based methods by directly exploiting a vulnerability in the target system.

Unknown Vulnerabilities

Vulnerabilities don’t pop into existence when they are discovered. Existing but still unknown vulnerabilities in your application, including the operating system on which it runs and its third-party components, represent a risk that can result in a zero-day attack.

Not every kind of WAF is capable of protecting your application in those situations. Since the vulnerability itself has no “signature,” a signature-based WAF will not solve this type of problem.

By the way, the blocking method is a determining aspect for the effectiveness of a WAF. To understand more about it, check out this post where we explain the differences between signature-based and scoring-based WAFs.

Subscribe to our Newsletter