WAF features
Last updated on
This document details the core features and configurations available within the STACKIT Web Application Firewall (WAF).
Feature overview & availability
Section titled “Feature overview & availability”The following table outlines which STACKIT WAF features are currently available and which are still being developed:
| Feature | API | SDK | Terraform/OpenTofu | Portal |
|---|---|---|---|---|
| Operating modes | Available | Available | WIP | Available |
| Tiered offerings | Available | Available | WIP | WIP |
| Paranoia levels | Available | Available | WIP | WIP |
| Traffic allow-listing (whitelisting) | Available | Available | WIP | WIP |
| Hierarchical rule management | Available | Available | WIP | WIP |
| Managed rule sets | Available | Available | WIP | WIP |
| Custom rules | WIP | WIP | WIP | WIP |
Base config
Section titled “Base config”To use a STACKIT WAF it is necessary to have a STACKIT Content Delivery Network (CDN) in place as a base. It is tightly bundled with a CDN as it also works on the edge. Therefore, it is highly recommended to make use of STACKIT CDN features.
Before you can configure WAF properties, you must enable the WAF by setting the mode to ENABLED or LOG_ONLY.
If the WAF is not enabled, most properties are not populated.
Operating mode
Section titled “Operating mode”The operating mode determines how the WAF handles incoming traffic.
| Mode | Description |
|---|---|
ENABLED | The WAF actively inspects and blocks malicious requests. |
LOG_ONLY | The WAF inspects requests and logs matches, but never blocks traffic. |
DISABLED | The WAF is completely off. No inspection occurs. |
Tier types
Section titled “Tier types”You can enable the Web Application Firewall (WAF) as an additional service within your CDN distribution. For detailed pricing information, see Billing and costs.
- BASIC: Provides standard WAF features and basic rule sets.
- PREMIUM: Unlocks additional premium-only rules and the ability to create custom rules (custom rules are planned for future release).
Paranoia level
Section titled “Paranoia level”The paranoia level defines how aggressively the WAF actions requests. Higher levels are more effective at catching attacks but increase the chance of blocking legitimate traffic (false positives).
Available levels range from least strict to most strict:
L1(Lowest chance of false positives)L2L3L4(Highest chance of false positives)
Whitelists
Section titled “Whitelists”Whitelists restrict which requests the distribution accepts. The WAF blocks non-whitelisted requests before they reach the origin.
- Allowed HTTP methods: Restricts accepted HTTP methods (e.g.,
GET,POST,PUT). - Allowed HTTP versions: Restricts the accepted HTTP protocol versions.
- Allowed request content types: Restricts the accepted
Content-Typeheaders in request bodies (e.g.,application/json,multipart/form-data). Formats must betype/subtypewithout spaces.
Rule management
Section titled “Rule management”You control rule behavior using nine properties divided into three specificity groups: collections, rule groups, and rules.
Specificity hierarchy
Section titled “Specificity hierarchy”The rule levels, from broadest to most specific, are:
- Collections: Broad categories of rules. Currently, the available collections are
@builtin/crs/response(response rules) and@builtin/crs/request(request rules). - Rule groups: Sub-categories within collections. Call the
ListWafCollectionsoperation to view available rule groups. - Rules: Individual, specific rules.
Precedence and overrides
Section titled “Precedence and overrides”The precedence of these levels dictates how overlapping configurations are resolved. The order of precedence is (from highest to lowest):
- Rule
- Rule group
- Collection
This means that a more specific setting always overrides a broader one. For example, disabling a collection but activating a specific rule within it will deactivate every rule in that collection except for the explicitly activated one.
Rule selectors
Section titled “Rule selectors”Use the following properties to enable, disable, or log rules at each hierarchy level:
| Level | Enable | Disable | Log-Only |
|---|---|---|---|
| Collections | enabledRuleCollectionIds | disabledRuleCollectionIds | logOnlyRuleCollectionIds |
| Rule groups | enabledRuleGroupIds | disabledRuleGroupIds | logOnlyRuleGroupIds |
| Rules | enabledRuleIds | disabledRuleIds | logOnlyRuleIds |
Rule collection - OWASP CRS request
Section titled “Rule collection - OWASP CRS request”Rule group: 911 - Method Enforcement
Section titled “Rule group: 911 - Method Enforcement”| Code | Rule |
|---|---|
| 911100 | Method is not allowed by policy |
Rule group: 913 - Scanner Detection
Section titled “Rule group: 913 - Scanner Detection”These rules focus on detecting security tools and scanners.
| Code | Rule |
|---|---|
| 913100 | Found User-Agent associated with security scanner |
Rule group: 922 - Multipart Attack
Section titled “Rule group: 922 - Multipart Attack”| Code | Rule |
|---|---|
| 922100 | Multipart content type global _charset_ definition is not allowed by policy |
| 922110 | Illegal MIME Multipart Header content-type: charset parameter |
| 922120 | Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used |
Rule group: 921 - Protocol Attack
Section titled “Rule group: 921 - Protocol Attack”The rules in this table target specific attacks on the HTTP protocol, such as HTTP request smuggling and response splitting.
| Code | Rule |
|---|---|
| 921110 | HTTP Request Smuggling Attack |
| 921120 | HTTP Response Splitting Attack |
| 921130 | HTTP Response Splitting Attack |
| 921140 | HTTP Header Injection Attack via headers |
| 921150 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921160 | HTTP Header Injection Attack via payload (CR/LF and header-name detected) |
| 921190 | HTTP Splitting (CR/LF in request filename detected) |
| 921200 | LDAP Injection Attack |
| 921421 | Content-Type header: Dangerous content type outside the mime type declaration |
| 921240 | mod_proxy attack attempt detected |
| 921151 | HTTP Header Injection Attack via payload (CR/LF detected) |
| 921422 | Content-Type header: Dangerous content type outside the mime type declaration |
| 921230 | HTTP Range Header detected |
| 921180 | HTTP Parameter Pollution (%\{TX.1\}) |
| 921210 | HTTP Parameter Pollution after detecting bogus char after parameter array |
| 921220 | HTTP Parameter Pollution possible via array notation |
Rule group: 930 - Application Attack LFI
Section titled “Rule group: 930 - Application Attack LFI”These rules detect attempts to include files that are local to the web server and should not be accessible to users.
| Code | Rule |
|---|---|
| 930100 | Path Traversal Attack (/../) or (/…/) |
| 930110 | Path Traversal Attack (/../) or (/…/) |
| 930120 | OS File Access Attempt |
| 930130 | Restricted File Access Attempt |
| 930121 | OS File Access Attempt in REQUEST_HEADERS |
Rule group: 931 - Application Attack RFI
Section titled “Rule group: 931 - Application Attack RFI”These rules detect attempts to include remote resources in the web application that may be executed.
| Code | Rule |
|---|---|
| 931100 | Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address |
| 931110 | Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
| 931120 | Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
| 931130 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| 931131 | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
Rule group: 932 - Application Attack RCE
Section titled “Rule group: 932 - Application Attack RCE”| Code | Rule |
|---|---|
| 932230 | Remote Command Execution: Unix Command Injection (2-3 chars) |
| 932235 | Remote Command Execution: Unix Command Injection (command without evasion) |
| 932120 | Remote Command Execution: Windows PowerShell Command Found |
| 932125 | Remote Command Execution: Windows Powershell Alias Command Injection |
| 932130 | Remote Command Execution: Unix Shell Expression Found |
| 932140 | Remote Command Execution: Windows FOR/IF Command Found |
| 932250 | Remote Command Execution: Direct Unix Command Execution |
| 932260 | Remote Command Execution: Direct Unix Command Execution |
| 932330 | Remote Command Execution: Unix shell history invocation |
| 932160 | Remote Command Execution: Unix Shell Code Found |
| 932170 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932171 | Remote Command Execution: Shellshock (CVE-2014-6271) |
| 932175 | Remote Command Execution: Unix shell alias invocation |
| 932180 | Restricted File Upload Attempt |
| 932370 | Remote Command Execution: Windows Command Injection |
| 932380 | Remote Command Execution: Windows Command Injection |
| 932231 | Remote Command Execution: Unix Command Injection |
| 932131 | Remote Command Execution: Unix Shell Expression Found |
| 932200 | RCE Bypass Technique |
| 932205 | RCE Bypass Technique |
| 932206 | RCE Bypass Technique |
| 932220 | Remote Command Execution: Unix Command Injection with pipe |
| 932240 | Remote Command Execution: Unix Command Injection evasion attempt detected |
| 932210 | Remote Command Execution: SQLite System Command Execution |
| 932300 | Remote Command Execution: SMTP Command Execution |
| 932310 | Remote Command Execution: IMAP Command Execution |
| 932320 | Remote Command Execution: POP3 Command Execution |
| 932236 | Remote Command Execution: Unix Command Injection (command without evasion) |
| 932239 | Remote Command Execution: Unix Command Injection found in user-agent or referer header |
| 932161 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS |
| 932232 | Remote Command Execution: Unix Command Injection |
| 932237 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS |
| 932238 | Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS |
| 932190 | Remote Command Execution: Wildcard bypass technique attempt |
| 932301 | Remote Command Execution: SMTP Command Execution |
| 932311 | Remote Command Execution: IMAP Command Execution |
| 932321 | Remote Command Execution: POP3 Command Execution |
| 932331 | Remote Command Execution: Unix shell history invocation |
Rule group: 933 - Application Attack PHP
Section titled “Rule group: 933 - Application Attack PHP”| Code | Rule |
|---|---|
| 933100 | PHP Injection Attack: PHP Open Tag Found |
| 933110 | PHP Injection Attack: PHP Script File Upload Found |
| 933120 | PHP Injection Attack: Configuration Directive Found |
| 933130 | PHP Injection Attack: Variables Found |
| 933140 | PHP Injection Attack: I/O Stream Found |
| 933200 | PHP Injection Attack: Wrapper scheme detected |
| 933150 | PHP Injection Attack: High-Risk PHP Function Name Found |
| 933160 | PHP Injection Attack: High-Risk PHP Function Call Found |
| 933170 | PHP Injection Attack: Serialized Object Injection |
| 933180 | PHP Injection Attack: Variable Function Call Found |
| 933210 | PHP Injection Attack: Variable Function Call Found |
| 933151 | PHP Injection Attack: Medium-Risk PHP Function Name Found |
| 933131 | PHP Injection Attack: Variables Found |
| 933161 | PHP Injection Attack: Low-Value PHP Function Call Found |
| 933111 | PHP Injection Attack: PHP Script File Upload Found |
| 933190 | PHP Injection Attack: PHP Closing Tag Found |
| 933211 | PHP Injection Attack: Variable Function Call Found |
Rule group: 934 - Application Attack GENERIC
Section titled “Rule group: 934 - Application Attack GENERIC”| Code | Rule |
|---|---|
| 934100 | Node.js Injection Attack 1/2 |
| 934110 | Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter |
| 934130 | JavaScript Prototype Pollution |
| 934150 | Ruby Injection Attack |
| 934160 | Node.js DoS attack |
| 934170 | PHP data scheme attack |
| 934101 | Node.js Injection Attack 2/2 |
| 934120 | Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address |
| 934140 | Perl Injection Attack |
| 934100 | Node.js Injection Attack |
Rule group: 941 - Application Attack XSS
Section titled “Rule group: 941 - Application Attack XSS”| Code | Rule |
|---|---|
| 941100 | XSS Attack Detected via libinjection |
| 941110 | XSS Filter - Category 1: Script Tag Vector |
| 941130 | XSS Filter - Category 3: Attribute Vector |
| 941140 | XSS Filter - Category 4: Javascript URI Vector |
| 941160 | NoScript XSS InjectionChecker: HTML Injection |
| 941170 | NoScript XSS InjectionChecker: Attribute Injection |
| 941180 | Node-Validator Deny List Keywords |
| 941190 | IE XSS Filters - Attack Detected |
| 941200 | IE XSS Filters - Attack Detected |
| 941210 | IE XSS Filters - Attack Detected |
| 941220 | IE XSS Filters - Attack Detected |
| 941230 | IE XSS Filters - Attack Detected |
| 941240 | IE XSS Filters - Attack Detected |
| 941250 | IE XSS Filters - Attack Detected |
| 941260 | IE XSS Filters - Attack Detected |
| 941270 | IE XSS Filters - Attack Detected |
| 941280 | IE XSS Filters - Attack Detected |
| 941290 | IE XSS Filters - Attack Detected |
| 941300 | IE XSS Filters - Attack Detected |
| 941310 | US-ASCII Malformed Encoding XSS Filter - Attack Detected |
| 941350 | UTF-7 Encoding IE XSS - Attack Detected |
| 941360 | JSFuck / Hieroglyphy obfuscation detected |
| 941370 | JavaScript global variable found |
| 941390 | Javascript method detected |
| 941400 | XSS JavaScript function without parentheses |
| 941101 | XSS Attack Detected via libinjection |
| 941120 | XSS Filter - Category 2: Event Handler Vector |
| 941150 | XSS Filter - Category 5: Disallowed HTML Attributes |
| 941181 | Node-Validator Deny List Keywords |
| 941320 | Possible XSS Attack Detected - HTML Tag Handler |
| 941330 | IE XSS Filters - Attack Detected |
| 941340 | IE XSS Filters - Attack Detected |
| 941380 | AngularJS client side template injection detected |
Rule group: 942 - Application Attack SQL Injection
Section titled “Rule group: 942 - Application Attack SQL Injection”This table lists rules that protect against SQL injection (SQLi) attacks.
| Code | Rule |
|---|---|
| 942100 | SQL Injection Attack Detected via libinjection |
| 942140 | SQL Injection Attack: Common DB Names Detected |
| 942151 | SQL Injection Attack: SQL function name detected |
| 942160 | Detects blind sqli tests using sleep() or benchmark() |
| 942170 | Detects SQL benchmark and sleep injection attempts including conditional queries |
| 942190 | Detects MSSQL code execution and information gathering attempts |
| 942220 | Looking for integer overflow attacks, magic number crash |
| 942230 | Detects conditional SQL injection attempts |
| 942240 | Detects MySQL charset switch and MSSQL DoS attempts |
| 942250 | Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections |
| 942270 | Looking for basic SQL injection. Common attack string for mysql, oracle and others |
| 942280 | Detects Postgres pg_sleep injection, waitfor delay attacks |
| 942290 | Finds basic MongoDB SQL injection attempts |
| 942320 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942350 | Detects MySQL UDF injection and other data/structure manipulation attempts |
| 942360 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942500 | MySQL in-line comment detected |
| 942540 | SQL Authentication bypass (split query) |
| 942560 | MySQL Scientific Notation payload detected |
| 942550 | JSON-Based SQL Injection |
| 942120 | SQL Injection Attack: SQL Operator Detected |
| 942130 | SQL Injection Attack: SQL Boolean-based attack detected |
| 942131 | SQL Injection Attack: SQL Boolean-based attack detected |
| 942150 | SQL Injection Attack: SQL function name detected |
| 942180 | Detects basic SQL authentication bypass attempts 1/3 |
| 942200 | Detects MySQL comment-/space-obfuscated injections and backtick termination |
| 942210 | Detects chained SQL injection attempts 1/2 |
| 942260 | Detects basic SQL authentication bypass attempts 2/3 |
| 942300 | Detects MySQL comments, conditions and ch(a)r injections |
| 942310 | Detects chained SQL injection attempts 2/2 |
| 942330 | Detects classic SQL injection probings 1/3 |
| 942340 | Detects basic SQL authentication bypass attempts 3/3 |
| 942361 | Detects basic SQL injection based on keyword alter or union |
| 942362 | Detects concatenated basic SQL injection and SQLLFI attempts |
| 942370 | Detects classic SQL injection probings 2/3 |
| 942380 | SQL Injection Attack |
| 942390 | SQL Injection Attack |
| 942400 | SQL Injection Attack |
| 942410 | SQL Injection Attack |
| 942470 | SQL Injection Attack |
| 942480 | SQL Injection Attack |
| 942430 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) |
| 942440 | SQL Comment Sequence Detected |
| 942450 | SQL Hex Encoding Identified |
| 942510 | SQLi bypass attempt by ticks or backticks detected |
| 942520 | Detects basic SQL authentication bypass attempts 4.0/4 |
| 942521 | Detects basic SQL authentication bypass attempts 4.1/4 |
| 942522 | Detects basic SQL authentication bypass attempts 4.1/4 |
| 942101 | SQL Injection Attack Detected via libinjection |
| 942152 | SQL Injection Attack: SQL function name detected |
| 942321 | Detects MySQL and PostgreSQL stored procedure/function injections |
| 942251 | Detects HAVING injections |
| 942490 | Detects classic SQL injection probings 3/3 |
| 942420 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8) |
| 942431 | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6) |
| 942460 | Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters |
| 942511 | SQLi bypass attempt by ticks detected |
| 942530 | SQLi query termination detected |
| 942421 | Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3) |
Rule group: 943 - Application Attack Session Fixation
Section titled “Rule group: 943 - Application Attack Session Fixation”These rules protect against session fixation attacks.
| Code | Rule |
|---|---|
| 943100 | Possible Session Fixation Attack: Setting Cookie Values in HTML |
| 943110 | Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer |
| 943120 | Possible Session Fixation Attack: SessionID Parameter Name with No Referer |
Rule group: 944 - Application Attack Java
Section titled “Rule group: 944 - Application Attack Java”| Code | Rule |
|---|---|
| 944100 | Remote Command Execution: Suspicious Java class detected |
| 944110 | Remote Command Execution: Java process spawn (CVE-2017-9805) |
| 944120 | Remote Command Execution: Java serialization (CVE-2015-4852) |
| 944130 | Suspicious Java class detected |
| 944140 | Java Injection Attack: Java Script File Upload Found |
| 944150 | Potential Remote Command Execution: Log4j / Log4shell |
| 944151 | Potential Remote Command Execution: Log4j / Log4shell |
| 944200 | Magic bytes Detected, probable java serialization in use |
| 944210 | Magic bytes Detected Base64 Encoded, probable java serialization in use |
| 944240 | Remote Command Execution: Java serialization (CVE-2015-4852) |
| 944250 | Remote Command Execution: Suspicious Java method detected |
| 944260 | Remote Command Execution: Malicious class-loading payload |
| 944300 | Base64 encoded string matched suspicious keyword |
| 944152 | Potential Remote Command Execution: Log4j / Log4shell |
Rule collection - OWASP CRS response
Section titled “Rule collection - OWASP CRS response”Rule group: 950 - Data Leakages
Section titled “Rule group: 950 - Data Leakages”| Code | Rule |
|---|---|
| 950130 | Directory Listing |
| 950140 | CGI source code leakage |
| 950100 | The Application Returned a 500-Level Status Code |
Rule group: 951 - Data Leakages SQL
Section titled “Rule group: 951 - Data Leakages SQL”| Code | Rule |
|---|---|
| 951110 | Microsoft Access SQL Information Leakage |
| 951120 | Oracle SQL Information Leakage |
| 951130 | DB2 SQL Information Leakage |
| 951140 | EMC SQL Information Leakage |
| 951150 | firebird SQL Information Leakage |
| 951160 | Frontbase SQL Information Leakage |
| 951170 | hsqldb SQL Information Leakage |
| 951180 | informix SQL Information Leakage |
| 951190 | ingres SQL Information Leakage |
| 951200 | interbase SQL Information Leakage |
| 951210 | maxDB SQL Information Leakage |
| 951220 | mssql SQL Information Leakage |
| 951230 | mysql SQL Information Leakage |
| 951240 | postgres SQL Information Leakage |
| 951250 | sqlite SQL Information Leakage |
| 951260 | Sybase SQL Information Leakage |
Rule group: 952 - Data Leakages Java
Section titled “Rule group: 952 - Data Leakages Java”| Code | Rule |
|---|---|
| 952100 | Java Source Code Leakage |
| 952110 | Java Errors |
Rule group: 953 - Data Leakages PHP
Section titled “Rule group: 953 - Data Leakages PHP”| Code | Rule |
|---|---|
| 953100 | PHP Information Leakage |
| 953110 | PHP source code leakage |
| 953120 | PHP source code leakage |
| 953101 | PHP Information Leakage |
Rule group: 954 - Data Leakages IIS
Section titled “Rule group: 954 - Data Leakages IIS”| Code | Rule |
|---|---|
| 954100 | Disclosure of IIS install location |
| 954110 | Application Availability Error |
| 954120 | IIS Information Leakage |
| 954130 | IIS Information Leakage |
Rule group: 955 - Web Shells
Section titled “Rule group: 955 - Web Shells”| Code | Rule |
|---|---|
| 955100 | Web shell detected |
| 955110 | r57 web shell |
| 955120 | WSO web shell |
| 955130 | b4tm4n web shell |
| 955140 | Mini Shell web shell |
| 955150 | Ashiyane web shell |
| 955160 | Symlink_Sa web shell |
| 955170 | CasuS web shell |
| 955180 | GRP WebShell |
| 955190 | NGHshell web shell |
| 955200 | SimAttacker web shell |
| 955210 | Unknown web shell |
| 955220 | lama’s’hell web shell |
| 955230 | lostDC web shell |
| 955240 | Unknown web shell |
| 955250 | Unknown web shell |
| 955260 | Ru24PostWebShell web shell |
| 955270 | s72 Shell web shell |
| 955280 | PhpSpy web shell |
| 955290 | g00nshell web shell |
| 955300 | PuNkHoLic shell web shell |
| 955310 | azrail web shell |
| 955320 | SmEvK_PaThAn Shell web shell |
| 955330 | Shell I web shell |
| 955340 | b374k m1n1 web shell |
| 955350 | webadmin.php file manager |
The following log fields are added to the CDN Logs only when an enabled or logged rule is triggered:
| Field | Description |
|---|---|
| WAF action | The decision made by the Web Application Firewall regarding the request. Possible values are: Logged: The request is monitored. Blocked: The request is denied. Allowed: The request is permitted. |
| Timestamp | The exact date and time when the request was made. |
| Rule | The specific WAF rule that triggered the event. For more information, see Rule collection - OWASP CRS request. |
| Message | A detailed message describing the WAF event. |
| URL | The URL of the requested cached resource. |
| Method | The HTTP method used for the request. |
| Country | The country where the request originated. |
| ASN | The Autonomous System Number (ASN) of the network where the request originated. |
Billing and costs
Section titled “Billing and costs”The costs for the Web Application Firewall (WAF) depend on your selected security tier and the total volume of incoming requests. For exact pricing, see the STACKIT pricing list.
Basic WAF
Section titled “Basic WAF”The standard WAF tier is included in your distribution and provides basic rule sets.
- Request allowance: Free to use up to x requests.
- Overage billing: Exceeding the free request limit incurs charges based on predefined request buckets.
Premium WAF
Section titled “Premium WAF”The Premium WAF unlocks advanced capabilities and premium rule sets.
- Base fee: A fixed recurring charge to enable the Premium tier.
- Request billing: In addition to the base fee, all requests processed by the Premium WAF are billed per request.
WAF logs
Section titled “WAF logs”WAF log fields are integrated into your existing CDN Logs at no additional cost, regardless of your active WAF tier.