A web application firewall (WAF) is an appliance, server plugin, or a software filter that applies a set of rules to an HTTP conversation. It typically acts as a countermeasure over common attacks such as Cross-site Scripting (XSS), Cross Site Request Forgery (CSRF) and SQL Injection. OWASP suggests the following selection criteria for a web application firewall:

1. Naxsi: Naxsi is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy. Recently, it was added to the OWASP projects list too!

Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions. The difference with most Web Application Firewall out there and Naxsi is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect “known” attacks, it detects unexpected characters in the HTTP requests/arguments. Each kind of unusual character will increase the score of the request. If the request reaches a score considered “too high”, the request will be denied, and the user will be redirected to a “forbidden” page. Yes, it works somewhat like a spam system. It does so, by working in a learning mode (“white listing model”). Set the module in learning mode, crawl your site, and it will generate the necessary white lists to avoid false positives! Naxsi doesn’t rely upon pre-defined signatures, so it should be capable to defeat complex/unknown/obfuscated attack patterns.

Download Naxsi 0.4-alpha – nginx_1.0.8-naxsi_0.4_amd64.deb –http://code.google.com/p/naxsi/downloads/list

2. Vulture WebSSO: This is not a WAF in totality, but much more! It is a reverse-proxy with features Web-SSO, and application firewall.

Vulture is based on Apache2, mod_perl and mod_security. Vuture interfaces between Web applications and Internet to provide unified security and authentication. The authentication of users with numerous methods supported LDAP, SQL, text file, radius server, digital certificates. It supports a modular design for adding new authentication methods, filtering and rewriting content, load balancing and an application firewall based on the awesome ModSecurity.

Download Vulture WebSSO v2.0 – vulture_2.0_i386.deb/vulture_2.0_amd64.deb –http://code.google.com/p/vulture/downloads/list

3. Guardian@JUMPERZ.NET: Guardian@JUMPERZ.NET is an open source application layer firewall for HTTP/HTTPS. It works as a reverse proxy server. It analyzes all HTTP/HTTPS traffic against rule-based signatures and protects web servers and web applications from attack. When unauthorized activity is detected,Guardian@JUMPERZ.NET can disconnect the TCP connection before the malicious request reach the web server.

It can also monitor HTTP responses from the web server to detect web page defacements, information leakage, etc,. It is not a module or a plugin, but a standalone network application. So it does not depend on the type of a web server. Though the web server itself has a security hole, Guardian@JUMPERZ.NET can protect against it. And it can be applied flexibly to any type of network.

Download Guardian@JUMPERZ.NET v083 - jumperz_net_083.jar –http://guardian.jumperz.net/index.html?i=003

4. IronBee: IronBee, is a new open source project, owned by Qualys to build a universal web application security sensor with a desire not only to build the code and the rules, but also to focus on building a community around the project. It aims to be a flexible framework that will be used as a foundational building block by all those concerned with application security monitoring. We covered this one in our old post that can be found here:http://www.pentestit.com/ironbee-open-source-generation-waf/

Checkout IronBee  - https://github.com/ironbee/ironbee/

5. WebCastellum: WebCastellum is a Java-based Open Source WAF (Web Application Firewall) to include inside a web application in order to protect it against attacks like SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Parameter Manipulation and many more.

Unlike traditional Web application firewalls, WebCastellum is based on a completely new technology and is firmly connected to the individual application. It uses your existing source code or bytecode of a Java EE application and protects it. We covered this one in an old post that can be found here:http://www.pentestit.com/webcastellum-open-source-waf/

Download WebCastellum v1.8.3 – WebCastellum-1.8.3.zip –http://sourceforge.net/projects/webcastellum/files/

6. ModSecurity: Well actually this tool does not need an introduction. ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. ModSecurity makes full HTTP transaction logging possible, allowing complete requests and responses to be logged. Its logging facilities also allow fine-grained decisions to be made about exactly what is logged and when, ensure only the relevant data is recorded. 

ModSecurity can monitor the HTTP traffic in real time in order to detect attacks, operating as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems. It can also act immediately to prevent attacks from reaching your web applications. ModSecurity is an embeddable web application firewall, which means it can be deployed as part of your existing web server infrastructure provided your web servers are Apache-based.

Download ModSecurity v2.6.2 - modsecurity-apache_2.6.2.tar.gz –http://www.modsecurity.org/download/

7. OWASP ESAPI WAF: The ESAPI Web Application Firewall, or the OWASP Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. It has been programmed by Aspect Security and it is designed to provide protection at the application layer instead of network layer. Some of the unique features of the solution include outbound filtering features which reduce information leakage. It is configuration driven and not code based, and it enables easy installation by just adding configuration details in the text file.

This project source code is licensed under the BSD license, which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the Creative Commons license. You can use or modify ESAPI however you want, even include it in commercial products.  OWASP ESAPI WAF is currently available for many languages including ESAPI for Java Downloads, .NET, Classic ASP, PHP, ColdFusion & CFML, Python and Javascript.

Download different OWASP ESAPI WAF APIs –https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads

8. OpenWAF: openWAF is the first open source distributed web application firewall (dWAF) for Apache web server. The openWAF project was launched in February, 2011 by art of defence. art of defence develops and offers openWAF as an open source solution, providing the best of both worlds by infusing the project with the substantial resources of a commercial enterprise while upholding the values of the open source security community.

openWAF uses a client/server model. The Apache 2 enforcer module acts as a client which sends all requests to the decider server. So you can offload the resource heavy tasks to remote maschines if you wish. The configuration for the deciders is pushed by the admin master which controls all decider and enforcer instances in the cloud. So you have a great central control center for your dWAF.

Download openWAF 4.0 binaries – http://openwaf.org/downloads.html

9. AQTRONIX WebKnight: AQTRONIX WebKnight is an application firewall for IIS and other web servers and is released under the GNU General Public License. More particularly it is an ISAPI filter that secures your web server by blocking certain requests. If an alert is triggered WebKnight will take over and protect the web server. It does this by scanning all requests and processing them based on filter rules, set by the administrator. These rules are not based on a database of attack signatures that require regular updates. Instead WebKnight uses security filters as buffer overflow, SQL injection, directory traversal, character encoding and other attacks. This way WebKnight can protect your server against all known and unknown attacks. Because WebKnight is an ISAPI filter it has the advantage of working closely with the web server, this way it can do more than other firewalls and intrusion detection systems, like scanning encrypted traffic.

Download AQTRONIX WebKnight 2.0 – http://www.aqtronix.com/?PageID=99#Download

That is all we can list as of now. This list again, is not arranged as per a certain precedence. We added these WAFs as we thought appropriate.

Source: http://www.pentestit.com/list-open-source-web-application-firewalls/