Are WAFs just reverse proxies on steroids ?

This statement has traversed my mind ever since I first started using web application firewalls and now that I know a thing or two about both, it feels good to be back and write again.

nothing serious, chill.

Addressing the first question that could pop-up is, why only reverse proxies are in comparison and why not forward proxies ?

Well, let’s save up that for a future discussion. Before that let’s understand both proxy and a reverse proxy ?

Proxy can be considered as an individual system/block which could be placed either between client/internet or between client/web-server.

Credits : ByteByteGo

The basic difference between forward and reverse proxy lies in their positioning in the architectural setup which consequently dictates their use-cases.

didn’t made sense, yeah to me as well.

Now if you’re to observe a general diagram of web application firewall

Credits : Cloudflare website.

You could see a drastic similarity in their functioning, general setup and their way of functioning, which is to set between the client and the server and inspect incoming HTTP requests from different client/end-users.

WAFs are nothing but reverse proxies with added extra functionalities, few of them are listed below.

1. Packet inspection based on GET/URL to address layer 7 attacks achieved via requests crafted with XSS, SQLi payloads.
2. Ability to rate limit the incoming requests to protect the origin server from being overwhelmed.
3. Distinguish between incoming requests are human generated requests or automated via any malicious bots
4. Collecting different types of telemetric data over a period of time to analyze the pattern of incoming traffic which might be not visible/evident in a day or two. (for example, some attacks are so sophisticated that they would be just shy of your thresholds and still be able to overwhelm your cloud resources over a period of time.)

To conclude, I would want to make a controversial statement knowing that I will get a lot of backlash for saying that in today’s time that no WAF is comprehensive and majority of top enterprise vendors lack critical mitigation features that are essential to address the evolution of attacks.

until then, next time. tadaaa

if you liked it, please don’t forget to subscribe to my page and clap for this story.