A formal model of web application firewall security capabilities

This thesis presents a novel approach to enhance the accessibility and flexibility of application-level security. It introduces a formal model of security controls that abstracts the low-level languages used by different Web Application Firewall (WAF) frameworks. The model is designed to simplify the definition of security capabilities through an XML-based abstract language, allowing administrators to specify security controls without needing detailed knowledge of the underlying frameworks. The model is enforced by a Java tool that translates the abstract language into framework-specific rules, addressing the challenges posed by the proliferation of diverse security tools. This approach reduces the risk of technology lock-in, enabling easier adoption of newer, more advanced frameworks. The thesis shows how this model can be extended to support the widely used ModSecurity framework, incorporating key features such as HTTP request and response body inspection, as well as user-defined variable management. The extended model was validated using the ModSecurity Core Rule Set (CRS), demonstrating its ability to effectively represent and enforce key WAF controls. This work contributes to reducing the complexity of managing WAF rules, offering system administrators a more flexible and adaptable solution to modern web application security challenges.