The attack prevention feature of web application firewall stands between the client and origin servers. If the web application firewall finds a malicious payload, it will reject the request, performing any one of the built-in actions. This section provides some basic information about how web application firewall works and how some rules are used for preventing attacks. For information about managing and configuring web application firewall, see Section 11.7, "Managing Web Application Firewalls."
Some of the features of web application firewall are audit logging, access to any part of the request (including the body) and the response, a flexible rule engine, file-upload interception, real-time validation and buffer-overflow protection.
Web application firewall's functionality is divided into four main areas:
Parsing: Parsers extract bits of each request and/or response, which are stored for use in the rules.
Buffering: In a typical installation, both request and response bodies are buffered so that the module generally sees complete requests (before they are passed to the application for processing), and complete responses (before they are sent to clients). Buffering is the best option for providing reliable blocking.
Logging: Logging is useful for recording complete HTTP traffic, allowing you to log all response/request headers and bodies.
Rule engine: Rule engines work on the information from other components, to evaluate the transaction and take action, as required.