WAF Security Coverage

QLAM uses OWASP Coraza WAF with the OWASP Core Rule Set (CRS) to provide web application firewall protection for all incoming traffic.

OWASP CRS Protection Categories

The default configuration includes OWASP Core Rule Set (CRS) v4, which provides protection against the following attack categories:

Rule Group	Rule IDs	Protection
PROTOCOL-ENFORCEMENT	920xxx	HTTP RFC violations, encoding abuse, missing required headers, Content-Type restrictions, request size limits
PROTOCOL-ATTACK	921xxx	HTTP request smuggling, response splitting, header injection
LFI (Local File Inclusion)	930xxx	Directory traversal (`/../`, `/..;/`), OS file access, restricted file access (source code, credentials, `.git`)
RFI (Remote File Inclusion)	931xxx	Remote URL inclusion, external resource loading
RCE (Remote Code Execution)	932xxx	Unix/Windows command injection, shell metacharacters (`;`, `\|`, `&&`), Shellshock (CVE-2014-6271), PowerShell, SQLite CLI
PHP Injection	933xxx	PHP code injection, dangerous functions, object serialization
Node.js Injection	934xxx	Node.js-specific injection attacks
XSS (Cross-Site Scripting)	941xxx	Script tags, event handlers (`onerror`, `onclick`), JavaScript URIs, encoding evasion, JSFuck obfuscation, AngularJS template injection
SQLi (SQL Injection)	942xxx	Blind/boolean/union-based SQLi, authentication bypass, stacked queries, `information_schema` enumeration, MongoDB NoSQL injection
Session Fixation	943xxx	Session ID manipulation, cookie injection
Java Attacks	944xxx	Java deserialization, Log4j (CVE-2021-44228), Spring4Shell

OWASP Top 10	CRS Coverage	Notes
A01: Broken Access Control	Partial	Path traversal (LFI), restricted file access
A02: Security Misconfiguration	Partial	Protocol enforcement, HTTP RFC violations, information disclosure
A03: Software Supply Chain Failures	None	Outside WAF scope
A04: Cryptographic Failures	None	Application-level concern
A05: Injection	Strong	SQLi, XSS, RCE, command injection, NoSQL injection
A06: Insecure Design	None	Application architecture concern
A07: Authentication Failures	Partial	Session fixation; brute force requires separate config
A08: Software or Data Integrity Failures	Partial	Java/PHP deserialization attacks, known CVE signatures (Log4j, Spring4Shell)
A09: Security Logging and Alerting Failures	Strong	All requests logged with full context
A10: Mishandling of Exceptional Conditions	None	Application-level concern

CRS uses anomaly scoring rather than immediate blocking:

Severity	Score	Example
Critical	5	SQLi, RCE confirmed
Error	4	High-confidence attack pattern
Warning	3	Suspicious but uncertain
Notice	2	Informational anomaly

Requests exceeding the configured threshold are blocked.

Rate limiting is configured at the HAProxy level with these protections:

Exceeding limits returns HTTP 429 (Too Many Requests).

Standard	WAF Requirement	CRS Contribution
PCI DSS 4.0	Req 6.4.2 - WAF for public web apps	Provides web attack detection/prevention
SOC 2	CC6.6 - Boundary protection	Logs all attack attempts for audit trail
HIPAA	§ 164.312(e) - Transmission security	Additional layer for PHI-handling APIs
FedRAMP	CA-7 - Continuous monitoring	Real-time attack detection and alerting
APPI (Japan)	Art. 23 - Security control measures	Protects personal data from unauthorized access via web attacks

Per CRS documentation, note these limitations:

Business logic flaws - Authorization bypass, IDOR, privilege escalation
Authentication weaknesses - Weak passwords, missing MFA (use application controls)
Application-specific vulnerabilities - Custom code bugs, logic errors
Zero-day exploits - Unknown vulnerabilities without signatures
Encrypted/encoded payloads - Attacks in encrypted request bodies or custom encoding
Client-side attacks - DOM-based XSS (CRS only sees server requests)