Web Application Firewall (WAF)

Protect your web applications and APIs from common vulnerabilities and sophisticated attacks with Sherpa.sh WAF. The firewall automatically inspects incoming HTTP requests in real-time, filtering out malicious traffic before it reaches your application.

Overview

The Sherpa.sh WAF provides automatic protection against:

• SQL injection attacks

• Cross-site scripting (XSS)

• OWASP Top 10 vulnerabilities

• Zero-day exploits

• Malicious bot traffic

No configuration required—just enable and you're protected.

How It Works

The WAF uses machine learning and continuously updated threat intelligence to identify and block malicious requests automatically. When a request arrives:

1. Request Analysis: Every HTTP request is inspected against known attack patterns

2. Threat Scoring: Suspicious requests receive a threat score based on multiple factors

3. Automatic Action: High-risk requests are blocked instantly, while legitimate traffic flows through

4. Continuous Learning: The system adapts to new threats without manual updates

Getting Started

Prerequisites

• Active Sherpa.sh account with deployed app

Enable WAF Protection

Message support in discord.sherpa.sh to have your WAF enabled. 100% Free.

Protection Features

Automatic Threat Detection

The WAF automatically protects against the following attacks

Injection Attacks

• SQL injection

• NoSQL injection

• Command injection

• LDAP injection

Cross-Site Scripting (XSS)

• Reflected XSS

• Stored XSS

• DOM-based XSS

Security Misconfigurations

• Exposed sensitive endpoints

• Directory traversal attempts

• File inclusion attacks

Known Vulnerabilities

• CVE-based exploits

• Framework-specific attacks

• CMS vulnerabilities

Real-Time Monitoring

View your application's security status at a glance:

• Blocked Requests: See threats stopped in real-time

• Attack Patterns: Identify trending attack types

• Traffic Insights: Understand normal vs suspicious behavior

• Geographic Threats: Map attack origins

Full protection list

METHOD ENFORCEMENT

• 911100 - Method is not allowed by policy

SCANNER DETECTION

• 913100 - Found User-Agent associated with security scanner

MULTIPART ATTACK

• 922100 - Multipart content type global charset definition is not allowed by policy

• 922110 - Illegal MIME Multipart Header content-type: charset parameter

• 922120 - Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used

PROTOCOL ATTACK

• 921110 - HTTP Request Smuggling Attack

• 921120 - HTTP Response Splitting Attack

• 921130 - HTTP Response Splitting Attack

• 921140 - HTTP Header Injection Attack via headers

• 921150 - HTTP Header Injection Attack via payload (CR/LF detected)

• 921160 - HTTP Header Injection Attack via payload (CR/LF and header-name detected)

• 921190 - HTTP Splitting (CR/LF in request filename detected)

• 921200 - LDAP Injection Attack

• 921421 - Content-Type header: Dangerous content type outside the mime type declaration

• 921240 - mod_proxy attack attempt detected

• 921151 - HTTP Header Injection Attack via payload (CR/LF detected)

• 921422 - Content-Type header: Dangerous content type outside the mime type declaration

• 921230 - HTTP Range Header detected

• 921180 - HTTP Parameter Pollution (%{TX.1})

• 921210 - HTTP Parameter Pollution after detecting bogus char after parameter array

• 921220 - HTTP Parameter Pollution possible via array notation

APPLICATION ATTACK LFI

• 930100 - Path Traversal Attack (/../) or (/.../)

• 930110 - Path Traversal Attack (/../) or (/.../)

• 930120 - OS File Access Attempt

• 930130 - Restricted File Access Attempt

• 930121 - OS File Access Attempt in REQUEST_HEADERS

APPLICATION ATTACK RFI

• 931100 - Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address

• 931110 - Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload

• 931120 - Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)

• 931130 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

• 931131 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link

APPLICATION ATTACK RCE

• 932230 - Remote Command Execution: Unix Command Injection (2-3 chars)

• 932235 - Remote Command Execution: Unix Command Injection (command without evasion)

• 932120 - Remote Command Execution: Windows PowerShell Command Found

• 932125 - Remote Command Execution: Windows Powershell Alias Command Injection

• 932130 - Remote Command Execution: Unix Shell Expression Found

• 932140 - Remote Command Execution: Windows FOR/IF Command Found

• 932250 - Remote Command Execution: Direct Unix Command Execution

• 932260 - Remote Command Execution: Direct Unix Command Execution

• 932330 - Remote Command Execution: Unix shell history invocation

• 932160 - Remote Command Execution: Unix Shell Code Found

• 932170 - Remote Command Execution: Shellshock (CVE-2014-6271)

• 932171 - Remote Command Execution: Shellshock (CVE-2014-6271)

• 932175 - Remote Command Execution: Unix shell alias invocation

• 932180 - Restricted File Upload Attempt

• 932370 - Remote Command Execution: Windows Command Injection

• 932380 - Remote Command Execution: Windows Command Injection

• 932231 - Remote Command Execution: Unix Command Injection

• 932131 - Remote Command Execution: Unix Shell Expression Found

• 932200 - RCE Bypass Technique

• 932205 - RCE Bypass Technique

• 932206 - RCE Bypass Technique

• 932220 - Remote Command Execution: Unix Command Injection with pipe

• 932240 - Remote Command Execution: Unix Command Injection evasion attempt detected

• 932210 - Remote Command Execution: SQLite System Command Execution

• 932300 - Remote Command Execution: SMTP Command Execution

• 932310 - Remote Command Execution: IMAP Command Execution

• 932320 - Remote Command Execution: POP3 Command Execution

• 932236 - Remote Command Execution: Unix Command Injection (command without evasion)

• 932239 - Remote Command Execution: Unix Command Injection found in user-agent or referer header

• 932161 - Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS

• 932232 - Remote Command Execution: Unix Command Injection

• 932237 - Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS

• 932238 - Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS

• 932190 - Remote Command Execution: Wildcard bypass technique attempt

• 932301 - Remote Command Execution: SMTP Command Execution

• 932311 - Remote Command Execution: IMAP Command Execution

• 932321 - Remote Command Execution: POP3 Command Execution

• 932331 - Remote Command Execution: Unix shell history invocation

PPLICATION ATTACK PHP

• 933100 - PHP Injection Attack: PHP Open Tag Found

• 933110 - PHP Injection Attack: PHP Script File Upload Found

• 933120 - PHP Injection Attack: Configuration Directive Found

• 933130 - PHP Injection Attack: Variables Found

• 933140 - PHP Injection Attack: I/O Stream Found

• 933200 - PHP Injection Attack: Wrapper scheme detected

• 933150 - PHP Injection Attack: High-Risk PHP Function Name Found

• 933160 - PHP Injection Attack: High-Risk PHP Function Call Found

• 933170 - PHP Injection Attack: Serialized Object Injection

• 933180 - PHP Injection Attack: Variable Function Call Found

• 933210 - PHP Injection Attack: Variable Function Call Found

• 933151 - PHP Injection Attack: Medium-Risk PHP Function Name Found

• 933131 - PHP Injection Attack: Variables Found

• 933161 - PHP Injection Attack: Low-Value PHP Function Call Found

• 933111 - PHP Injection Attack: PHP Script File Upload Found

• 933190 - PHP Injection Attack: PHP Closing Tag Found

• 933211 - PHP Injection Attack: Variable Function Call Found

APPLICATION ATTACK GENERIC

• 934100 - Node.js Injection Attack 1/2

• 934110 - Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter

• 934130 - JavaScript Prototype Pollution

• 934150 - Ruby Injection Attack

• 934160 - Node.js DoS attack

• 934170 - PHP data scheme attack

• 934101 - Node.js Injection Attack 2/2

• 934120 - Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address

• 934140 - Perl Injection Attack

• 934100 - Node.js Injection Attack

APPLICATION ATTACK XSS

• 941100 - XSS Attack Detected via libinjection

• 941110 - XSS Filter - Category 1: Script Tag Vector

• 941130 - XSS Filter - Category 3: Attribute Vector

• 941140 - XSS Filter - Category 4: Javascript URI Vector

• 941160 - NoScript XSS InjectionChecker: HTML Injection

• 941170 - NoScript XSS InjectionChecker: Attribute Injection

• 941180 - Node-Validator Deny List Keywords

• 941190 - IE XSS Filters - Attack Detected

• 941200 - IE XSS Filters - Attack Detected

• 941210 - IE XSS Filters - Attack Detected

• 941220 - IE XSS Filters - Attack Detected

• 941230 - IE XSS Filters - Attack Detected

• 941240 - IE XSS Filters - Attack Detected

• 941250 - IE XSS Filters - Attack Detected

• 941260 - IE XSS Filters - Attack Detected

• 941270 - IE XSS Filters - Attack Detected

• 941280 - IE XSS Filters - Attack Detected

• 941290 - IE XSS Filters - Attack Detected

• 941300 - IE XSS Filters - Attack Detected

• 941310 - US-ASCII Malformed Encoding XSS Filter - Attack Detected

• 941350 - UTF-7 Encoding IE XSS - Attack Detected

• 941360 - JSFuck / Hieroglyphy obfuscation detected

• 941370 - JavaScript global variable found

• 941390 - Javascript method detected

• 941400 - XSS JavaScript function without parentheses

• 941101 - XSS Attack Detected via libinjection

• 941120 - XSS Filter - Category 2: Event Handler Vector

• 941150 - XSS Filter - Category 5: Disallowed HTML Attributes

• 941181 - Node-Validator Deny List Keywords

• 941320 - Possible XSS Attack Detected - HTML Tag Handler

• 941330 - IE XSS Filters - Attack Detected

• 941340 - IE XSS Filters - Attack Detected

• 941380 - AngularJS client side template injection detected

APPLICATION ATTACK SQLI

• 942100 - SQL Injection Attack Detected via libinjection

• 942140 - SQL Injection Attack: Common DB Names Detected

• 942151 - SQL Injection Attack: SQL function name detected

• 942160 - Detects blind sqli tests using sleep() or benchmark()

• 942170 - Detects SQL benchmark and sleep injection attempts including conditional queries

• 942190 - Detects MSSQL code execution and information gathering attempts

• 942220 - Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the "magic number" crash

• 942230 - Detects conditional SQL injection attempts

• 942240 - Detects MySQL charset switch and MSSQL DoS attempts

• 942250 - Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections

• 942270 - Looking for basic sql injection. Common attack string for mysql, oracle and others

• 942280 - Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts

• 942290 - Finds basic MongoDB SQL injection attempts

• 942320 - Detects MySQL and PostgreSQL stored procedure/function injections

• 942350 - Detects MySQL UDF injection and other data/structure manipulation attempts

• 942360 - Detects concatenated basic SQL injection and SQLLFI attempts

• 942500 - MySQL in-line comment detected

• 942540 - SQL Authentication bypass (split query)

• 942560 - MySQL Scientific Notation payload detected

• 942550 - JSON-Based SQL Injection

• 942120 - SQL Injection Attack: SQL Operator Detected

• 942130 - SQL Injection Attack: SQL Boolean-based attack detected

• 942131 - SQL Injection Attack: SQL Boolean-based attack detected

• 942150 - SQL Injection Attack: SQL function name detected

• 942180 - Detects basic SQL authentication bypass attempts 1/3

• 942200 - Detects MySQL comment-/space-obfuscated injections and backtick termination

• 942210 - Detects chained SQL injection attempts 1/2

• 942260 - Detects basic SQL authentication bypass attempts 2/3

• 942300 - Detects MySQL comments, conditions and ch(a)r injections

• 942310 - Detects chained SQL injection attempts 2/2

• 942330 - Detects classic SQL injection probings 1/3

• 942340 - Detects basic SQL authentication bypass attempts 3/3

• 942361 - Detects basic SQL injection based on keyword alter or union

• 942362 - Detects concatenated basic SQL injection and SQLLFI attempts

• 942370 - Detects classic SQL injection probings 2/3

• 942380 - SQL Injection Attack

• 942390 - SQL Injection Attack

• 942400 - SQL Injection Attack

• 942410 - SQL Injection Attack

• 942470 - SQL Injection Attack

• 942480 - SQL Injection Attack

• 942430 - Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)

• 942440 - SQL Comment Sequence Detected

• 942450 - SQL Hex Encoding Identified

• 942510 - SQLi bypass attempt by ticks or backticks detected

• 942520 - Detects basic SQL authentication bypass attempts 4.0/4

• 942521 - Detects basic SQL authentication bypass attempts 4.1/4

• 942522 - Detects basic SQL authentication bypass attempts 4.1/4

• 942101 - SQL Injection Attack Detected via libinjection

• 942152 - SQL Injection Attack: SQL function name detected

• 942321 - Detects MySQL and PostgreSQL stored procedure/function injections

• 942251 - Detects HAVING injections

• 942490 - Detects classic SQL injection probings 3/3

• 942420 - Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)

• 942431 - Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)

• 942460 - Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters

• 942511 - SQLi bypass attempt by ticks detected

• 942530 - SQLi query termination detected

• 942421 - Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)

APPLICATION ATTACK SESSION FIXATION

• 943100 - Possible Session Fixation Attack: Setting Cookie Values in HTML

• 943110 - Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer

• 943120 - Possible Session Fixation Attack: SessionID Parameter Name with No Referer

APPLICATION ATTACK JAVA

• 944100 - Remote Command Execution: Suspicious Java class detected

• 944110 - Remote Command Execution: Java process spawn (CVE-2017-9805)

• 944120 - Remote Command Execution: Java serialization (CVE-2015-4852)

• 944130 - Suspicious Java class detected

• 944140 - Java Injection Attack: Java Script File Upload Found

• 944150 - Potential Remote Command Execution: Log4j / Log4shell

• 944151 - Potential Remote Command Execution: Log4j / Log4shell

• 944200 - Magic bytes Detected, probable java serialization in use

• 944210 - Magic bytes Detected Base64 Encoded, probable java serialization in use

• 944240 - Remote Command Execution: Java serialization (CVE-2015-4852)

• 944250 - Remote Command Execution: Suspicious Java method detected

• 944260 - Remote Command Execution: Malicious class-loading payload

• 944300 - Base64 encoded string matched suspicious keyword

• 944152 - Potential Remote Command Execution: Log4j / Log4shell

DATA LEAKAGES

• 950130 - Directory Listing

• 950140 - CGI source code leakage

• 950100 - The Application Returned a 500-Level Status Code

DATA LEAKAGES SQL

• 951110 - Microsoft Access SQL Information Leakage

• 951120 - Oracle SQL Information Leakage

• 951130 - DB2 SQL Information Leakage

• 951140 - EMC SQL Information Leakage

• 951150 - firebird SQL Information Leakage

• 951160 - Frontbase SQL Information Leakage

• 951170 - hsqldb SQL Information Leakage

• 951180 - informix SQL Information Leakage

• 951190 - ingres SQL Information Leakage

• 951200 - interbase SQL Information Leakage

• 951210 - maxDB SQL Information Leakage

• 951220 - mssql SQL Information Leakage

• 951230 - mysql SQL Information Leakage

• 951240 - postgres SQL Information Leakage

• 951250 - sqlite SQL Information Leakage

• 951260 - Sybase SQL Information Leakage

DATA LEAKAGES JAVA

• 952100 - Java Source Code Leakage

• 952110 - Java Errors

DATA LEAKAGES PHP

• 953100 - PHP Information Leakage

• 953110 - PHP source code leakage

• 953120 - PHP source code leakage

• 953101 - PHP Information Leakage

DATA LEAKAGES IIS

• 954100 - Disclosure of IIS install location

• 954110 - Application Availability Error

• 954120 - IIS Information Leakage

• 954130 - IIS Information Leakage

WEB SHELLS

• 955100 - Web shell detected

• 955110 - r57 web shell

• 955120 - WSO web shell

• 955130 - b4tm4n web shell

• 955140 - Mini Shell web shell

• 955150 - Ashiyane web shell

• 955160 - Symlink_Sa web shell

• 955170 - CasuS web shell

• 955180 - GRP WebShell

• 955190 - NGHshell web shell

• 955200 - SimAttacker web shell

• 955210 - Unknown web shell

• 955220 - lama's'hell web shell

• 955230 - lostDC web shell

• 955240 - Unknown web shell

• 955250 - Unknown web shell

• 955260 - Ru24PostWebShell web shell

• 955270 - s72 Shell web shell

• 955280 - PhpSpy web shell

• 955290 - g00nshell web shell

• 955300 - PuNkHoLic shell web shell

• 955310 - azrail web shell

• 955320 - SmEvK_PaThAn Shell web shell

• 955330 - Shell I web shell

• 955340 - b374k m1n1 web shell

• 955350 - webadmin.php file manager

Troubleshooting

Legitimate Requests Blocked

Issue: False positive blocking valid traffic

Solution: Contact support in Discord.sherpa.sh to have the request whitelisted.

WAF Not Blocking

Issue: Known attack getting through

Steps:

1. Verify WAF is in Active Mode (not Monitor)

2. Check application is routing through Sherpa.sh

3. Confirm no bypass rules are configured

4. Contact support if issue persists

High Latency

Issue: Requests taking longer than expected

Typical Causes:

• WAF adds ~10-20ms per request (normal)

• Challenge mode adds ~200-500ms (only for suspicious requests)

• Check application performance separately

Verification:

bash

# Test request timing
curl -w "@curl-format.txt" -o /dev/null -s https://yourapp.com