Websites hosted on the Internet are continuously inundated with unwanted traffic coming from bots (robots, and automated programs that trawl the internet for vulnerable websites), hacktivists, and focused attack groups. The intent is simple – exploit vulnerabilities to:
- Deface a website
- Steal sensitive information (usernames and passwords, sensitive private information, etc.)
- Compromise the web server and add it to their bot network. The bot can then be used to target other vulnerable websites and networks.
Thousands of websites get hacked every day due to vulnerabilities in code or misconfigurations. One of the best ways to protect your web application from online threats is to use a Web Application Firewall (WAF) or Web Application and API Protection (WAAP) solution.
A WAF / WAAP solution helps protect websites and APIs by inspecting and filtering traffic between the web servers and the Internet. The solution can help defend web applications from attacks such as SQL Injection, File Inclusion, Cross-Site-Scripting, Remote Code Execution, etc.
Many Commercial WAF / WAAP solutions exist but over the years, many open source web application firewall and freemium WAF solutions have also come to the aid of website owners to help secure their web applications. Below are some of the top open-source/freemium solutions:
List of Top free WAF (Web Application Firewall)
- Freemium
- Download WAF
Type: Freemium
Haltdos WAF CE is a free version by Haltdos. It is a high-performance WAF and WAAP solution designed to safeguard Web Applications and APIs. Unlike many other open-source WAF solutions in the list, Haltdos uses a new HTTP request processing engine designed for handling performance, creating complex rules, and mitigating sophisticated attacks. Supports complex attack mitigation techniques such as captcha, rate limiting, anomaly detection, redirection, request termination, and connection termination.
Pros of Haltdos WAF CE:
- Support for protection against OWASP Top 10 attacks including SQL Injection, XSS, RFI, LFI, RCE, etc.
- Built-in 1000+ rules with daily threat intel from Haltdos
- GUI managed WAF
- Support for Anti-Bot and API security
- Built-in load balancing and server monitoring
- Easy False Positive management
- Good documentation
Cons of Haltdos WAF CE:
WebKnight
- OpenSource
- Download
WebKnight is an application firewall for the Microsoft IIS. The set of tools scan all the requests and filter them according to rules set by the administrator.
Pros of WebKnight:
- Good coverage of attack protection
- GUI for management
Cons of WebKnight:
- Only supports Microsoft IIS web servers
- Lacks community for issue diagnosis and support
OctopusWAF
- OpenSource
- Download
OctopusWAF is an open-source Web application firewall written completely in C that makes numerous connections using libevent. The event-driven design is geared for many concurrent connections (keep-alive), which is essential for AJAX applications with high speed. This tool is quite lightweight. You may use it in any desired manner. This resource is ideal for securing particular endpoints that require customized security.
Pros of OctopusWAF:
- Supports complex rules with regex and string-matching algorithms like DFA, karpa-rabin, etc.
Cons of OctopusWAF:
- Does not support TLS and certificate upload
- Limited rules against attacks such as LFI, RFI, RCE, etc.
- No GUI for management
Coraza
- OpenSource
- Download
Coraza is an open-source, high-performance Web Application Firewall (WAF) designed to safeguard your most cherished apps. It is developed in the Go programming language, supports ModSecurity and SecLang rule sets, and is fully compatible with the OWASP Core Rule Set. Built as a modular design, it has supports for plugins for GeoIP, etc.
Pros of Coraza:
- Supports OWASP CRS ruleset
Cons of Coraza:
- Limited capability to modify built-in rules
- Lacks the capability to create custom rules
- No GUI for management
- High resource utilization when too many rules are configured