In Web Application Firewalls (WAFs), blacklists and whitelists are common
mechanisms for filtering and controlling web traffic based on rules:
1. Blacklist (Denylist):
A blacklist contains a set of rules that identify specific inputs, patterns, or
behaviors that are not allowed.
When traffic matches one of these rules, the WAF blocks the request.
Example use case: Blocking known bad IP addresses, specific file types (e.g.,
`.exe`), or malicious input patterns (e.g., SQL injection payloads).
Advantages:
Easier to maintain for known bad inputs.
Can be updated to block newly discovered threats.
Disadvantages:
Requires constant updating to stay effective against evolving threats.
Can miss new or sophisticated attack vectors not yet on the list.
2. Whitelist (Allowlist):
A whitelist is the opposite of a blacklist: it defines allowed inputs, patterns,
or behaviors. Anything that does not match the whitelist is blocked.
The WAF only allows traffic that meets specific criteria, such as expected IP
ranges, legitimate API calls, or certain file formats.
Advantages:
Provides a more secure approach by allowing only trusted inputs and blocking
everything else.
Less prone to missing zeroday vulnerabilities since it relies on what is
explicitly trusted.
Disadvantages:
Can be restrictive, making it difficult to allow new legitimate traffic unless
constantly updated.
May lead to false positives if legitimate inputs aren't accounted for in the
whitelist.
Regex in WAF (Regular Expressions):
Regular Expressions (Regex) are a powerful way to define patterns for matching
strings, and they are widely used in WAFs to identify potentially malicious inputs.
In a WAF context, regex can be used in both blacklists and whitelists to detect
and filter traffic based on specific string patterns. For example:
Blocking inputs that contain sequences like `<script>` (for XSS attacks).
Detecting common SQL injection patterns like `SELECT.FROM`.
Use of Regex in WAF:
XSS Protection: A regex might look for strings that match `.<script>.` to detect
and block potential CrossSite Scripting (XSS) attempts.
SQL Injection Protection: A regex can be set to match strings that follow SQL
querylike patterns, such as `.SELECT.FROM.`.
Advantages of Regex:
Flexibility in matching complex patterns.
Can be very specific in what to block or allow.
Disadvantages:
Complex regex patterns can be slow to process on large datasets, affecting
performance.
� Misconfigured regex rules can result in false positives (blocking legitimate
traffic) or false negatives (allowing malicious traffic).
Regex plays a crucial role in making WAFs dynamic and adaptable to different types
of attacks, but crafting effective regex patterns requires skill to balance
security and performance.
