What is a WAF?

OWASP Security Models

Positive Security Models

• It is a new generation security model that has been developed in recent years and its popularity is increasing day by day.
• It works by denying everything and only allows requests on the network that are completely risk-free.
• High performance.
• It can cause more False-Positives as it blocks everything about an application until you specify it.
• Due to the nature of the approach, Zero-Day attacks are automatically blocked.
• It works with a scoring system and is very suitable for artificial intelligence (AI)-based work.
• False-Positive is easier to extract.
  
  

Negative Security Models

• Its performance is very low as it needs a very large database of signatures and needs to search every request in this database.
• It is necessary to refresh the signature database every day.
• Extremely ineffective against Zero-Day attacks.

Cross Site Scripting (XSS)

It is a type of vulnerability that allows changing the source code of a web page. Attackers often want to run Javascript in web applications because Javascript allows them to control almost everything in the browser.

Cross Site Request Forgery (CSRF)

As a general structure, Cross Site Request Forgery takes advantage of the vulnerability of the site and allows us to access it as if we were that user. It usually enables attackers to take advantage of vulnerabilities in GET requests and session operations that are not checked correctly.

SQL Injection (SQLi)

In most of the websites, database is used to keep the page dynamic. Most of the current database software (MySQL, MSSQL, Sqlite, Oracle SQL) uses a common language called SQL (Structured Query Language). SQL Injection is obtaining different information by interfering with the purpose of the SQL query. In other words, SQL Injection method can be used to obtain information that is not publicly available in the database such as member information, administrator passwords. Even the databases of large internet sites such as Yahoo! have been stolen using SQL Injection.

Brute Force

Brute-Force is a type of internet attack on computer systems that is carried out by successively uploading or sending data in order to disable a system or access a password.

Command Injection

Command Injection attack aims to issue arbitrary commands by the attacker in the operating system where the software is installed. Command Injection attack becomes possible if the application transfers unreliable data (forms, cookies, HTTP headers, etc.) to the system shell.

Database Backdoors

Database Backdoors refers to any method by which authorized and unauthorized users can take normal security measures and gain top-level user access (also known as root access) on a computer system, network, or software application. An example of the most malicious software installation is when cybercriminals steal personal and financial data after breaking in.

xPath Injection

xPath (XML Path Language) is a specialised query language used for node selection and operations in XML documents. Just as the SQL language allows you to operate on certain databases, xPath allows you to query XML documents in a similar way, but with limited possibilities (for example, direct updates cannot be made with Xpath). If an XML file is used for authentication on a website (such as an XML-based user file), it can elevate privileges on the website.

Log Spoofing

Log Spoofing are techniques used to steal a user's password. The user is presented with an ordinary-looking login prompt for username and password, which is usually a malicious program and is called a Trojan horse which is often under the attacker's control. When the username and password are entered, this information is logged or somehow transmitted to the attacker, violating security.