Website Protection: An Evaluation of the Web Application Firewall
DOI:
https://doi.org/10.56294/dm2025190Keywords:
WAF, OWASP, Firewall, Security, Web applications, CybersecurityAbstract
Introduction: In recent years, a significant increase in attacks targeting web applications has been observed. These attacks compromise application integrity, disrupt services, and have devastating consequences regarding data loss, reputational damage, and financial costs. Objective: The objective was to evaluate the effectiveness of the Web Application Firewall (WAF) using the OWASP methodology to detect and neutralize attacks on the Universidad Técnica del Norte’s web server. Results: The results were to categorize the main types of attacks detected by the WAF, analyze the most frequent attacks blocked by the firewall, and implement an additional layer of security on the web server. Conclusions: It was concluded that the WAF detects suspicious or potentially malicious activity in web traffic but fails to identify all cyber threats comprehensively. In addition, the WAF report, broken down each month with the number of frequent attack events identified as malicious, is a crucial tool for the web administrator.
References
1. Wen S-F, Katt B. A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard. Comput & Secur 2023;135:103532. https://doi.org/https://doi.org/10.1016/j.cose.2023.103532.
2. Corao FP, Vanegas MP. Web services administration: Anatomy of the internet. Alpha Editorial; 2021.
3. Dalalana Bertoglio D, Zorzo AF. Overview and open issues on penetration test. J Brazilian Comput Soc 2017;23:1–16. https://doi.org/https://doi.org/10.1186/s13173-017-0051-1.
4. Srokosz M, Rusinek D, Ksiezopolski B. A new WAF-based architecture for protecting web applications against CSRF attacks in malicious environment. 2018 Fed. Conf. Comput. Sci. Inf. Syst., 2018, p. 391–5.
5. Reddy Y. Big data security in cloud environment. 2018 IEEE 4th Int. Conf. Big Data Secur. Cloud (BigDataSecurity), IEEE Int. Conf. High Perform. Smart Comput. IEEE Int. Conf. Intell. Data Secur., 2018, p. 100–6. https://doi.org/10.1109/BDS/HPSC/IDS18.2018.00033.
6. Kemp C, Calvert C, Khoshgoftaar TM, Leevy JL. An approach to application-layer DoS detection. J Big Data 2023;10:22. https://doi.org/https://doi.org/10.1186/s40537-023-00699-3.
7. Thein TT, Shiraishi Y, Morii M. Personalized federated learning-based intrusion detection system: Poisoning attack and defense. Futur Gener Comput Syst 2024;153:182–92. https://doi.org/https://doi.org/10.1016/j.future.2023.10.005.
8. Kumar H, others. Securing Web Application using Web Application Firewall (WAF) and Machine Learning. 2023 First Int. Conf. Adv. Electr. Electron. Comput. Intell., 2023, p. 1–8. https://doi.org/http://dx.doi.org/10.1109/ICAEECI58247.2023.10370872.
9. Ponomareva OA, Stepanenko D V, Chernova O V. Modeling Features Threats to the Security of Information in the Process Threat Hunting. 2023 IEEE Ural. Conf. Biomed. Eng. Radioelectron. Inf. Technol., 2023, p. 305–8. https://doi.org/10.1109/USBEREIT58508.2023.10158844.
10. Kandasamy K, Srinivas S, Achuthan K, Rangan VP. IoT cyber risk: A holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process. EURASIP J Inf Secur 2020;2020:1–18. https://doi.org/https://doi.org/10.1186/s13635-020-00111-0.
11. Syafiq MS, Norazlina M, Faqihah MF. Enhancement of OWASP Monitoring System with Instant Notification. Asia Simul. Conf., 2023, p. 479–87. https://doi.org/https://doi.org/10.1007/978-981-99-7243-2_39.
12. Abdulghaffar K, Elmrabit N, Yousefi M. Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners. Computers 2023;12:235. https://doi.org/https://doi.org/10.3390/computers12110235.
13. Alazmi S, de Leon DC. Customizing OWASP ZAP: A Proven Method for Detecting SQL Injection Vulnerabilities. 2023 IEEE 9th Intl Conf. Big Data Secur. Cloud (BigDataSecurity), IEEE Intl Conf. High Perform. Smart Comput. IEEE Intl Conf. Intell. Data Secur., 2023, p. 102–6. https://doi.org/10.1109/BigDataSecurity-HPSC-IDS58521.2023.00028.
14. Lathifah A, Amri FB, Rosidah A, others. Security vulnerability analysis of the sharia crowdfunding website using owasp-zap. 2022 10th Int. Conf. Cyber IT Serv. Manag., 2022, p. 1–5. https://doi.org/10.1109/CITSM56380.2022.9935837.
15. Jahanavi G, Mubeen T, Aishwarya R, Yogitha. R. Cloud Computing using OWASP: Open Web Application Security Project. 2023 7th Int. Conf. Intell. Comput. Control Syst., 2023, p. 740–3. https://doi.org/10.1109/ICICCS56967.2023.10142457.
16. González Brito HR, Montesino Perurena R. Capacidades de las metodologías de pruebas de penetración para detectar vulnerabilidades frecuentes en aplicaciones web. Rev Cuba Ciencias Informáticas 2018;12:52–65.
17. Abikoye OC, Abubakar A, Dokoro AH, Akande ON, Kayode AA. A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm. EURASIP J Inf Secur 2020;2020:1–14. https://doi.org/https://doi.org/10.1186/s13635-020-00113-y.
18. Sepczuk, M. (2023). Dynamic web application firewall detection supported by cyber mimic defense approach. Journal of Network and Computer Applications, 213, 103596.
19. Alaoui, R. L., & Nfaoui, E. H. (2022). Deep learning for vulnerability and attack detection on web applications: A systematic literature review. Future Internet, 14(4), 118.
20. Prokhorenko, V., Choo, K. K. R., & Ashman, H. (2016). Web application protection techniques: A taxonomy. Journal of Network and Computer Applications, 60, 95-112.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Gabriela Elizabeth Cárdenas Rosero, Cathy Pamela Guevara Vega, Pablo Landeta-López (Author)
This work is licensed under a Creative Commons Attribution 4.0 International License.
The article is distributed under the Creative Commons Attribution 4.0 License. Unless otherwise stated, associated published material is distributed under the same licence.
