User Friendly Web Application Firewall with Client Pre-Checking

In this article we present our experience in developing a user friendly Web Application Firewall (WAF) feature, called SERFS, that provide a useful and friendly feedback to the end user when one or more requests are filtered or blocked by the WAF. SERFS provides appropriate friendly templates and rules to make the client/server interactions as transparent as possible. When dealing with forms, SERFS will back fill legitimate values and provide hints to illegal values. An application rule developer can either use SERFS’s friendly templates or develop new templates to ensure that the usable security mechanisms are consistent with existing application logic. To improve the response time SERFS also issues JavaScript components to the client browser for pre-checking client requests. If a pre-checked request still contains non-compliant requests, SERFS will identify them as being suspicious and perform further analysis to either block the request or ask the end user to re-authenticate the session. We have implemented SERFS, and we present preliminary empirical results to validate our user friendly features.