Protect Your Web Applications Against
Modern Cyber Threats & L7 DDoS Attacks
WafWay is an enterprise-grade, self-hosted Web Application Firewall (WAF) designed to protect your web applications against SQL injection, XSS, OWASP Top 10 threats, and L7 DDoS attacks. Built with Go for maximum performance, WafWay includes interactive human verification challenges, Redis distributed state sharing, PostgreSQL enterprise storage, and multi-region DC/DR support.
Independently tested against 704+ attack payloads across 16+ threat areas. New: Interactive "Verify you are human" challenge with SHA-256 proof-of-work stops automated L7 DDoS attacks while letting real users through in under 3 seconds.
Union, Boolean, Time-based, Stacked queries
Reflected, Stored, DOM-based, Polyglots
External entities, Billion laughs, OOB
Shell commands, Reverse shells
Directory traversal, Null bytes
File inclusion, Cloud metadata
Tested with: SQLMap, Burp Suite, OWASP ZAP, Nikto, Nmap, DirBuster, Acunetix, Custom Payloads
OWASP Top 10 & Extended Threat Coverage — All 16 categories tested and blocked
| # | Threat Category | Attack Scenarios Tested | Result |
|---|---|---|---|
| A01 | Broken Access Control | Forced browsing, IDOR, method tampering | BLOCKED |
| A02 | Cryptographic Failures | HTTP downgrade attempts, insecure headers | BLOCKED |
| A03 | Injection | SQLi, NoSQLi, OS command injection, LDAP injection | BLOCKED |
| A04 | Insecure Design | Abnormal request sequencing, logic abuse | BLOCKED |
| A05 | Security Misconfiguration | .env, .git, backup file access, directory listing | BLOCKED |
| A06 | Vulnerable Components | Known exploit payloads targeting outdated libraries | BLOCKED |
| A07 | Authentication Failures | Brute force login, credential stuffing | BLOCKED |
| A08 | Data Integrity Failures | Payload tampering, insecure deserialization | BLOCKED |
| A09 | Logging & Monitoring | Stealth attacks, evasion attempts | DETECTED & LOGGED |
| A10 | Server-Side Request Forgery | Internal IPs, cloud metadata URLs | BLOCKED |
| E01 | Cross-Site Scripting (XSS) | Reflected, Stored, DOM-based XSS | BLOCKED |
| E02 | Cross-Site Request Forgery | CSRF token bypass attempts | BLOCKED |
| E03 | Path Traversal / File Inclusion | ../ traversal, LFI, RFI | BLOCKED |
| E04 | Bot Attacks & Automated Abuse | Credential stuffing, scraping, automation | BLOCKED |
| E05 | API Abuse & Parameter Tampering | Invalid methods, excessive requests | BLOCKED |
| E06 | Evasion & Encoding Techniques | Unicode, double encoding, HTTP pollution | BLOCKED |
Controlled attack simulations validated detection accuracy, blocking effectiveness, application stability, and logging integrity. Tests included automated and manual crafted payloads.
WafWay handles advanced evasion techniques including Unicode and multi-layer encoding attacks, protocol abuse, and modern framework-specific threats (Angular, Vue, React). No noticeable performance degradation observed during testing.
Residual Risk Level: Low (Post-WAF Protection)
Everything you need to secure your web applications
OWASP CRS-inspired detection with 45+ patterns covering union, boolean, time-based, and stacked query attacks.
Comprehensive cross-site scripting detection including reflected, stored, and DOM-based attacks.
Industry-standard bcrypt password hashing with cryptographically secure token generation.
Enterprise PostgreSQL with connection pooling (RDS compatible) or SQLite for smaller deployments.
Create, update, and delete custom WAF rules. Define patterns, actions, and priorities.
Time-series traffic data, top paths analysis, and attack logging. Export via REST API.
Block traffic by country, detect VPNs, Tor exit nodes with MaxMind GeoIP integration.
Interactive "Verify you are human" click-to-verify with SHA-256 proof-of-work. Stops bots, passes humans in <3s.
Allow → Challenge → Block. Configurable soft threshold triggers human verification before hard blocking.
Share rate limits, challenge passes, IP bans across multiple WAF instances. ElastiCache compatible.
HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS whitelist.
Deploy in 5 minutes - WafWay sits between the internet and your application
Users & Attackers
Inspect, Challenge & Filter
Clean Traffic Only
How it works: When a client exceeds the soft rate limit threshold, WafWay serves an interactive challenge page. A SHA-256 proof-of-work runs silently in the browser, then the user clicks a checkbox to confirm they're human. Verified users receive a 30-minute pass. Bots and automated scripts that cannot execute JavaScript or click the checkbox are effectively blocked.
EC2, Compute Engine, Azure VM. Single binary behind your cloud load balancer.
Alpine-based image. Helm charts. ConfigMap support. Horizontal scaling with Redis.
Single binary, zero dependencies. Systemd service with auto-restart. amd64 & arm64.
Contact us for a demo or to discuss your security requirements
ConceptGood Consultants is an AI Product Development and Consulting firm based in Pune, India. We specialize in building intelligent solutions that transform how businesses operate.