Websites hosted on the Internet are continuously inundated with unwanted traffic coming from bots (robots, and automated programs that trawl the internet for vulnerable websites), hacktivists, and focused attack groups. The intent is simple – exploit vulnerabilities to:
- Deface a website
- Steal sensitive information (usernames and passwords, sensitive private information, etc.)
- Compromise the web server and add it to their bot network. The bot can then be used to target other vulnerable websites and networks.
Thousands of websites get hacked every day due to vulnerabilities in code or misconfigurations. One of the best ways to protect your web application from online threats is to use a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution.
A WAF / WAAP solution helps protect websites and APIs by inspecting and filtering traffic between the web servers and the Internet. The solution can help defend web applications from attacks such as SQL Injection, File Inclusion, Cross-Site-Scripting, Remote Code Execution, etc.
Many Commercial WAF / WAAP solutions exist but over the years, many open source web application firewall and freemium WAF solutions have also come to the aid of website owners to help secure their web applications. Below are some of the top open-source/freemium solutions:
Haltdos WAF Community Edition (CE)
Type: Freemium
Haltdos WAF CE is a free version by Haltdos. It is a high-performance WAF and WAAP solution designed to safeguard Web Applications and APIs. Unlike many other open-source WAF solutions in the list, Haltdos uses a new HTTP request processing engine designed for handling performance, creating complex rules, and mitigating sophisticated attacks. Supports complex attack mitigation techniques such as captcha, rate limiting, anomaly detection, redirection, request termination, and connection termination.
Pros of Haltdos WAF CE:
- Support for protection against OWASP Top 10 attacks including SQL Injection, XSS, RFI, LFI, RCE, etc.
- Built-in 1000+ rules with daily threat intel from Haltdos
- GUI managed WAF
- Support for Anti-Bot and API security
- Built-in load balancing and server monitoring
- Easy False Positive management
- Good documentation
Cons of Haltdos WAF CE:
- One installation of WAF protects only one website.
- Advanced rule support is available only in the commercial offering
- Freemium solution instead of open source
ModSecurity
Type: Open Source
Sometimes also referred to as Modsec, ModSecurity is an open-source web application firewall (WAF) built by TrustWave. One of the oldest open-source solutions, this WAF comes as a module for Apache HTTP Server, Nginx, and Microsoft IIS. It is free software distributed under the Apache 2.0 license.
Effective July 1, 2024, Trustwave will no longer provide support for ModSecurity. The maintenance of the ModSecurity code will thereafter be returned to the open-source community.
Pros of ModSecurity:
- Extensive framework for HTTP request and response filtering
- Real-time application security monitoring and access control, Full HTTP traffic logging, Continuous passive security assessment
- Works for any type of website or web applications
Cons of ModSecurity:
- Regex-based rules are hard to maintain
- Multiple rules may create false positives and fine-tuning the rules is hard
- No graphical user interface (GUI)
- High resource utilization when too many rules are configured
NAXSI
Type: Open Source
Another popular open source WAF is NAXSI. NAXSI is a third party nginx module that has a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. These rules compute score for every request and when the score threshold is breached, the requests are dropped. NAXSI only filters GET, POST and PUT requests, and its default setup acts as a DROP-by-default firewall, thus you must add the ACCEPT rule for it to function properly.
Pros of NAXSI:
- Low resource consumption.
- Works as an add-on module to popular open-source Nginx solution.
- Works for any time of website or web applications.
Cons of NAXSI:
- Restricted only to XSS and SQL Injection attacks. This leaves application vulnerable to other attacks such as LFI, RFI, RCE, etc.
- No support available for complex rules for sophisticated attacks.
- Difficult to decide threshold without learning
- No graphical user interface (GUI)
Shadow Daemon
Type: Open Source
Shadow Daemon detect, record, and prevent web attacks by filtering request from malicious parameters. It comes with an own interface where you can perform administration and manage this WAF. It supports PHP, Perl & Python language framework.
Pros of Shadow Daemon:
- Supports whitelist and blacklist
- Blocks only dangerous part of malicious request
- GUI for management
Cons of Shadow Daemon:
- Does not block malicious requests
- Lacks support for sophisticated attacks
WebKnight
Type: Open Source
WebKnight is an application firewall for the Microsoft IIS. The set of tools scan all the requests and filter them according to rules set by the administrator.
Pros of WebKnight:
- Good coverage of attack protection
- GUI for management
Cons of WebKnight:
- Only supports Microsoft IIS web servers
- Lacks community for issue diagnosis and support
OctopusWAF
Type: Open Source
OctopusWAF is an open-source Web application firewall written completely in C that makes numerous connections using libevent. The event-driven design is geared for many concurrent connections (keep-alive), which is essential for AJAX applications with high speed. This tool is quite lightweight. You may use it in any desired manner. This resource is ideal for securing particular endpoints that require customized security.
Pros of OctopusWAF:
- Supports complex rules with regex and string-matching algorithms like DFA, karpa-rabin, etc.
Cons of OctopusWAF:
- Does not support TLS and certificate upload
- Limited rules against attacks such as LFI, RFI, RCE, etc.
- No GUI for management
Coraza
Type: Open Source
Coraza is an open-source, high-performance Web Application Firewall (WAF) designed to safeguard your most cherished apps. It is developed in the Go programming language, supports ModSecurity and SecLang rule sets, and is fully compatible with the OWASP Core Rule Set. Built as a modular design, it has supports for plugins for GeoIP, etc.
Pros of Coraza:
- Supports OWASP CRS ruleset
Cons of Coraza:
- Limited capability to modify built-in rules
- Lacks the capability to create custom rules
- No GUI for management