Skip to content

WAF Phase

The Web Application Firewall (WAF) phase analyses requests for potential security threats against the OWASP ModSecurity Core Rule Set.

This phase does not have direct actions. Its behavior is controlled by the vconf.set action in the URL Config phase. For example, you can set the modsecurity_mode to enforce to block requests that trigger WAF rules, or warn to log them.

Fields

The WAF phase provides access to the following fields:

Example

While the WAF phase itself doesn't have actions, you can use its output in later phases. For example, in the rate_limit_request_late phase, you can rate limit clients who trigger WAF rules.

The filter matches requests where the WAF has detected an exposed password:

peakhour.waf.exposed_password

This condition can then be used in a subsequent phase to challenge or block the user.

Use Cases

  1. Block SQL injection attempts.
  2. Prevent cross-site scripting (XSS) attacks.
  3. Protect against remote file inclusion (RFI) vulnerabilities.
  4. Use WAF output to inform rate limiting or other security decisions in later phases.

Use Cases

  1. Block SQL injection attempts
  2. Prevent cross-site scripting (XSS) attacks
  3. Protect against remote file inclusion (RFI) vulnerabilities
  4. Log suspicious requests for further analysis