Web application firewalls (WAFs) serve as a crucial layer of defense against cyber threats, protecting applications from attacks such as SQL injection, cross-site scripting (XSS), and other malicious exploits. However, an important question arises when evaluating their effectiveness: Does your WAF inspect the entire HTTP request, including the whole request body?
The Importance of HTTP Request Body Inspection
Many modern cyberattacks target the HTTP request body, particularly in POST requests where user input is transmitted to the server. This means that effective threat detection requires thorough inspection of request bodies to identify malicious payloads. If a WAF only inspects headers or has limitations on request body inspection, attackers can bypass security measures by padding the request body and embedding threats beyond a WAF’s inspection limits.
Limitations in WAF Request Body Inspection
Most WAFs impose restrictions on the request body size they inspect and the content types they parse. These limitations can create security gaps, as attackers can craft payloads that exceed these constraints, effectively evading detection.
A review of popular WAF solutions reveals significant differences in their request body inspection capabilities. WAFs from the major cloud providers (AWS, Google Cloud, Microsoft Azure) and CDN providers (Akamai, Cloudflare, etc.) are mostly limited to the first 128 KB of the request body. That means an attacker only needs to craft a malicious payload that exceeds 128KB to bypass the WAF’s inspection capabilities.
In contrast, Fortra Managed WAF supports unlimited request body size. That means an attacker cannot bypass the Fortra Managed WAF’s inspection, no matter the payload size.
Why Streaming Inspection Matters
Most WAFs buffer request bodies for inspection, meaning they process the data only after receiving it in full. This can be problematic for large requests, leading to performance bottlenecks and potential security blind spots.
Fortra Managed WAF stands out as an exception, offering both buffering inspection and streaming inspection of HTTP request bodies. For most web pages, Fortra Managed WAF can operate in buffering inspection mode.
But for web pages where large uploads are expected, Fortra Managed WAF supports streaming inspection to analyze data in real time, regardless of size or content type, without requiring buffering. As a result, attacks hidden within large or segmented payloads are more effectively detected and mitigated.
Choosing a WAF with Comprehensive Inspection
When selecting a WAF for your application, consider the following:
- Request body size limitations: Ensure the WAF inspects a sufficiently large portion of the request body
- Supported content types: The WAF should be able to parse common content types such as JSON, XML, and multipart/form-data
- Inspection method: Streaming inspection offers better real-time threat detection compared to buffered inspection
While WAFs are essential for web application security, their effectiveness depends on their ability to inspect the full HTTP request body. Many widely used WAF solutions impose limitations that can be exploited by attackers. To ensure comprehensive protection, organizations should evaluate their WAF’s capabilities and consider solutions like Fortra Managed WAF, which offers unlimited, streaming request body inspection. By doing so, businesses can fortify their applications against evolving cyber threats and minimize security risks.
