Revise WAF documentation with updates and new entries

docs/Tech/Security/WAF.md

@@ -2,62 +2,89 @@ Web Application Firewalls (WAFs) have become an essential component of web secur
 
 ## Rule Sets
 
-One of the main components of the open source WAF ecosystem is the OWASP® ModSecurity Core Rule Set (CRS), a set of generic attack detection rules designed for ModSecurity or compatible WAFs. This rule set is pivotal in defending web applications against a spectrum of attacks, including the notorious OWASP Top Ten, while striving to minimize false alerts.
+One of the main components of the open source WAF ecosystem is the OWASP ModSecurity Core Rule Set (CRS), a set of generic attack detection rules designed for ModSecurity or compatible WAFs. This rule set is pivotal in defending web applications against a spectrum of attacks, including the notorious OWASP Top Ten, while striving to minimize false alerts.
 
 https://coreruleset.org/
 
-> The **OWASP® ModSecurity Core Rule Set (CRS)** is a set of generic attack detection rules for use with [ModSecurity](https://www.modsecurity.org/) or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories.
+> The **OWASP ModSecurity Core Rule Set (CRS)** is a set of generic attack detection rules for use with [ModSecurity](https://github.com/owasp-modsecurity/ModSecurity) or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories.
 
 Sources: https://github.com/coreruleset/coreruleset
 
 ## Open source solutions
 
-### Coraza (1.6k★)
+### BunkerWeb (10.2k★)
 
-https://github.com/corazawaf/coraza.git "OWASP Coraza WAF is a golang modsecurity compatible web application firewall library"
+https://github.com/bunkerity/bunkerweb "BunkerWeb is a next-generation and open-source Web Application Firewall (WAF)."
+
+> BunkerWeb is a full-featured open-source WAF based on NGINX and ModSecurity. It provides a web UI for configuration, supports Docker/Kubernetes/Swarm deployments out of the box, and includes automatic Let's Encrypt certificates, bot detection, rate limiting, and country blocking. Uses Lua for rules and Python for the web interface.
+
+### ModSecurity (9.6k★)
+
+https://github.com/owasp-modsecurity/ModSecurity "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx."
+
+> ModSecurity is the most widely deployed open-source WAF engine, now maintained by OWASP after Trustwave transferred stewardship in 2024. It provides a robust event-based programming language for HTTP traffic monitoring, logging and real-time analysis. Works with Apache, NGINX, and IIS.
+
+https://owasp.org/blog/2024/01/09/ModSecurity.html
+
+### Coraza (3.4k★)
+
+https://github.com/corazawaf/coraza "OWASP Coraza WAF is a golang modsecurity compatible web application firewall library"
 
 > Coraza is an open source, enterprise-grade, high performance Web Application Firewall (WAF) ready to protect your beloved applications. It is written in Go, supports ModSecurity SecLang rulesets and is 100% compatible with the OWASP Core Rule Set v4.
 
+### SafeLine (20k+★)
 
-https://securitypilgrim.com/top-30-free-open-source-tools/#Web_Application_Firewalls_WAF ➜ lists 3 solutions below
+https://github.com/chaitin/SafeLine "A web security gateway, serve as a reverse proxy to protect your websites from attacks and exploits."
 
-### ModSecurity (5.4k★)
+> SafeLine is an open-source WAF that uses intelligent semantic analysis to detect web attacks. It works as a reverse proxy and provides a web management interface. Supports HTTPS, HTTP/2, and WebSocket out of the box.
 
-https://github.com/SpiderLabs/ModSecurity "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys…"
+### CrowdSec (9k+★)
 
-https://owasp.org/blog/2024/01/09/ModSecurity.html
-> After serving as its steward for over a decade, [Trustwave](https://www.trustwave.com) has agreed to transfer the reins of the renowned open-source web application firewall (WAF) engine, ModSecurity, to the [Open Worldwide Application Security Project (OWASP)](https://owasp.org). This landmark move promises to inject fresh energy and perspectives into the project, ensuring its continued evolution as a vital line of defense for countless websites worldwide.
+https://github.com/crowdsecurity/crowdsec "CrowdSec is a free, modern and collaborative behavior detection engine, coupled with a global IP reputation network."
+
+> CrowdSec is a collaborative security engine that analyzes logs, detects attacks, and shares threat intelligence across its network. It includes WAF capabilities through its AppSec component and integrates with NGINX, HAProxy, Traefik, and other reverse proxies.
+
+### open-appsec (800+★)
+
+https://github.com/openappsec/openappsec "open-appsec is a machine learning based web application firewall (WAF) and API security solution."
 
-### Shadow Daemon (250★)
+> open-appsec uses machine learning instead of signatures to detect attacks. It integrates with NGINX, Kong, and Kubernetes Ingress. Preemptively protects against OWASP Top 10 and zero-day attacks without requiring manual rule tuning.
 
-https://github.com/zecure/shadowd "Shadow Daemon is a collection of tools to detect, record and prevent attacks on web applications. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability."
+### NAXSI (492★, actively maintained fork)
 
-### NAXSI (4k★)
+https://github.com/wargio/naxsi "NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX"
 
-https://github.com/nbs-system/naxsi "NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX"
-→ Moved to: https://github.com/wargio/naxsi.git
+> NAXSI is a lightweight NGINX WAF module that uses a whitelist approach instead of pattern matching. Originally developed by nbs-system, it is now actively maintained as a community fork. Designed for low maintenance with minimal false positives.
 
-### Videur (dead project)
+Note: The original repository was at https://github.com/nbs-system/naxsi.
 
-https://github.com/mozilla/videur "Videur is a Lua library for OpenResty that will automatically parse an API specification file provided by a web server and proxy incoming Nginx requests to that server." Maybe some interesting ideas there.
-Discussion here: https://ziade.org/2014/10/24/web-application-firewall/
-(Saved at ~/ghq/github.com/mozilla/videur).
+### Shadow Daemon (306★, archived)
+
+https://github.com/zecure/shadowd "Shadow Daemon is a collection of tools to detect, record and prevent attacks on web applications."
+
+> Shadow Daemon intercepted requests and filtered out malicious parameters using a modular architecture that separated web application, analysis, and interface components. **Note: This project is archived and no longer maintained (last updated 2022).**
 
 ### See also
 
 - https://github.com/libinjection/libinjection ("SQL / SQLI tokenizer parser analyzer")
-- https://github.com/sysdig/wafer "Wafer is a simple but effective web application firewall (WAF) fuzzing tool. It is designed to be used as a standalone script, it uses various techniques build payloads which could potentially bypass a WAF."
-- https://github.com/bunkerity/bunkerweb "BunkerWeb is a next-generation and open-source Web Application Firewall (WAF)." Based on Nginx + mod_security code base. Uses Lua for the rules and Python for the Web app.
+- https://github.com/sysdig/wafer ("Wafer is a simple but effective web application firewall (WAF) fuzzing tool.")
+
+## Commercial solutions
 
-## Not open source
+- [Imperva](https://www.imperva.com/) - Cloud WAF (formerly Incapsula)
+- [Cloudflare](https://www.cloudflare.com/waf/) - Cloud WAF with free tier
+- [Akamai](https://www.akamai.com/products/app-and-api-protector) - App & API Protector
+- [AWS WAF](https://aws.amazon.com/waf/) - Native AWS WAF
+- [Azure WAF](https://azure.microsoft.com/en-us/products/web-application-firewall) - Native Azure WAF
 
-- https://www.imperva.com/
+For a comprehensive comparison of 55+ WAF providers (open source and commercial), see [WAFplanet](https://wafplanet.com/waf/).
 
-## Ressources
+## Resources
 
-- "2022 Cloud Web Application Firewall (WAF) CyberRisk Validation Comparative Report"
-- https://nishtahir.com/i-looked-through-attacks-in-my-access-logs-heres-what-i-found/
+- [WAFplanet - WAF Provider Comparison](https://wafplanet.com/waf/) - Independent comparison of 55+ WAF providers with reviews, head-to-head comparisons, and a CVE database
+- [OWASP Web Application Firewall](https://owasp.org/www-community/Web_Application_Firewall) - OWASP community WAF page
+- [I looked through attacks in my access logs. Here's what I found](https://nishtahir.com/i-looked-through-attacks-in-my-access-logs-heres-what-i-found/)
 
 <!-- Keywords -->
-#firewalls #firewall #owasp
+#firewalls #firewall #owasp #waf #security
 <!-- /Keywords -->