EPISODE · Jun 7, 2026 · 1H 1M
WAF: Wrong Approach Firewall (gpn24)
from Chaos Computer Club - recent events feed · host slink
Web Application Firewalls (WAFs) for filtering based on HTTP and payload are omnipresent. In this talk an argument will be made that, in many cases, the wrong approach for implementing WAFs is chosen: They are implemented as "deny firewalls" which specifically forbid "bad" traffic based on pattern rules, while for network security (layers 3/4) professionals would only ever follow an "allow firewall" approach, which explicitly lets "good" traffic pass and denies everything else. "deny WAFs" are oftentimes marketed as simple, easy to use, out-of-the-box solutions, but, by design, they can only prevent known exploits. Also, practical aspects limit their potential, when rulesets breaking functionality have to be disabled. While the "allow WAF" approach presented here implies more effort, its main advantage is protection against new attack vectors ("zero days") and it comes with a lot of side benefits, such as improved performance and resilience through caching. Concepts will be introduced: * HTTP Basics * Signed URLs / signed requests * Regular Expressions * HTTP Caching Practical examples with Vinyl Cache will be presented: * Rules based on HTTP method and URL * Header filtering * Regular Expressions on body data Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://cfp.gulas.ch/gpn24/talk/9TSLFQ/
What this episode covers
Web Application Firewalls (WAFs) for filtering based on HTTP and payload are omnipresent. In this talk an argument will be made that, in many cases, the wrong approach for implementing WAFs is chosen: They are implemented as "deny firewalls" which specifically forbid "bad" traffic based on pattern rules, while for network security (layers 3/4) professionals would only ever follow an "allow firewall" approach, which explicitly lets "good" traffic pass and denies everything else. "deny WAFs" are oftentimes marketed as simple, easy to use, out-of-the-box solutions, but, by design, they can only prevent known exploits. Also, practical aspects limit their potential, when rulesets breaking functionality have to be disabled. While the "allow WAF" approach presented here implies more effort, its main advantage is protection against new attack vectors ("zero days") and it comes with a lot of side benefits, such as improved performance and resilience through caching. Concepts will be introduced: * HTTP Basics * Signed URLs / signed requests * Regular Expressions * HTTP Caching Practical examples with Vinyl Cache will be presented: * Rules based on HTTP method and URL * Header filtering * Regular Expressions on body data Licensed to the public under https://creativecommons.org/licenses/by/4.0/ about this event: https://cfp.gulas.ch/gpn24/talk/9TSLFQ/
NOW PLAYING
WAF: Wrong Approach Firewall (gpn24)
No transcript for this episode yet
Similar Episodes
Apr 21, 2026 ·73m
Apr 18, 2026 ·95m
Apr 15, 2026 ·55m
Apr 13, 2026 ·68m
Apr 11, 2026 ·59m
Apr 9, 2026 ·66m