Coraza-Based WAF with OWASP CRS for SQL Injection in Multi-Domain Web System

Authors

  • Muhammad Zaedil Politeknik Negeri Ujung Pandang, Indonesia
  • Irfan Syamsuddin Politeknik Negeri Ujung Pandang, Indonesia
  • Muhammad Nur Yasir Utomo Politeknik Negeri Ujung Pandang, Indonesia
Pages Icon

DOI:

https://doi.org/10.63158/journalisi.v8i2.1475

Keywords:

Web Application Firewall, Coraza, OWASP Core Rule Set, SQL Injection, Nginx, Reverse Proxy

Abstract

This research aims to design and implement a Web Application Firewall (WAF) based on the OWASP Core Rule Set (CRS) to enhance web application protection against SQL Injection attacks. The study was conducted in the web environment of the State Polytechnic of Ujung Pandang, which has more than 80 active subdomains with uniform server configurations, mostly using vulnerable CMSs such as WordPress. The proposed solution integrates Coraza, a Go-based WAF engine, into the Nginx reverse proxy system. The system includes a web-based control panel, JSON-formatted logging, and Redis support for efficient traffic mapping and storage, enabling flexible management of multiple domains. A key contribution of this study is the implementation of a centralized WAF management approach capable of securing more than 80 subdomains within a unified configuration environment. Tests were carried out using five SQL Injection scenarios: URL parameters, form-data, x-www-form-urlencoded, JSON API, and automated tools such as SQLMap. Without WAF, all attacks successfully penetrated the system, whereas with WAF activated, all tested payloads were successfully blocked, manual and automated, was effectively blocked, indicating a significant improvement in defense capability. These results demonstrate that the developed WAF system provides strong protection against SQL Injection attacks and indicate strong potential for enhancing web application security against SQL Injection attacks.

Downloads

Download data is not yet available.

References

[1] M. Nawrocki and J. Kołodziej, “Vulnerabilities of Web Applications: Good Practices and New Trends,” Applied Cybersecurity & Internet Governance, vol. 3, no. 2, pp. 122–143, 2024, doi: 10.60097/ACIG/199521.

[2] A. Wahyudi, “Digital Transformation in Public Service Management: Addressing Challenges in the Modern Era,” Sinomics Journal, vol. 3, 2024, doi: 10.54443/sj.v3i4.409.

[3] R. Riche and S. H. Marpaung, “Pengembangan Website Sekolah SD-SMP Methodist Romalbest Medan,” Jurnal Pengabdian Masyarakat (ABDIRA), vol. 2, no. 4, pp. 62–70, 2022.

[4] R. G. Mokosolang, A. Mewengkang, and O. E. S. Liando, “Analisis dan Perancangan Website Sekolah Menengah Pertama,” Edutik: Jurnal Pendidikan Teknologi Informasi Dan Komunikasi, vol. 2, no. 1, pp. 141–146, 2022.

[5] I. R. N. Ardhian, “Dampak serangan siber dan kebocoran data pada perbankan syariah terhadap tingkat kepercayaan nasabah,” Maliki Interdisciplinary Journal, vol. 1, no. 3, pp. 351–359, 2023.

[6] S. Tamilselvan and K. France, “SQL Injection Attack Detection in Web Applications Using Machine Learning Algorithms,” in International Conference on Trends in Electronics and Informatics (ICOEI), 2025, pp. 545–552. doi: 10.1109/ICOEI65986.2025.11013708.

[7] T. Muhammad and H. Ghafory, “SQL Injection Attack Detection Using Machine Learning Algorithm,” Mesopotamian Journal of CyberSecurity, vol. 2022, pp. 5–17, 2022, doi: 10.58496/MJCS/2022/002.

[8] B. Wiguna et al., “Implementasi Web Application Firewall dalam Mencegah Serangan SQL Injection pada Website,” Jurnal Teknologi Informasi & Komunikasi, vol. 11, no. 2, pp. 245-256, Nov. 2020. doi: 10.31849/digitalzone.v11i2.4867ICCS.

[9] W. G. J. Halfond, J. Viegas, and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” in Proceedings of the IEEE International Symposium on Secure Software Engineering, 2006.

[10] K. Ahmad and M. Karim, “A Method to Prevent SQL Injection Attack using an Improved Parameterized Stored Procedure,” International Journal of Advanced Computer Science and Applications, vol. 12, no. 6, 2021.

[11] M. Curipallo Martínez, A. Guevara-Vega, A. Reyes Narváez, G. Raura, and H. Barba Molina, “Web Application Protection Optimization Through Coraza WAF: Performance Assessment Against OWASP Risks in Reverse Proxy Configurations,” Engineering Proceedings, vol. 115, no. 1, 2025, doi: 10.3390/engproc2025115017.

[12] A. Riyanti, B. M. Rahmanto, D. R. Hardianto, R. D. A. Yuristiawan, and A. Setiawan, “Uji Penetrasi Injeksi SQL terhadap Celah Keamanan Database Website menggunakan SQLmap,” Journal of Internet and Software Engineering, vol. 1, no. 4, p. 9, Jun. 2024, doi: 10.47134/pjise.v1i4.2623.

[13] I. Bilic, K. Josić, D. Pranic, and S. Ribaric, “Web Application Firewalls (WAFs) in Protecting Software,” in Proceedings of the DAAAM International Symposium, 2024, pp. 306–311. doi: 10.2507/35th.daaam.proceedings.042.

[14] R. Riska and H. Alamsyah, “Penerapan Sistem Keamanan Web Menggunakan Metode Web Application Firewall,” Jurnal Amplifier: Jurnal Ilmiah Bidang Teknik Elektro Dan Komputer, vol. 11, no. 1, pp. 37–42, 2021.

[15] J. Harefa, G. Prajena, A. Alexander, A. Muhamad, E. V. S. Dewa, and S. Yuliandry, “SEA WAF: The Prevention of SQL Injection Attacks on Web Applications,” Advances in Science, Technology and Engineering Systems Journal, vol. 6, no. 2, pp. 405–411, Mar. 2021, doi: 10.25046/aj060247.

[16] M. Akbar and M. A. F. Ridha, “SQL Injection and Cross Site Scripting Prevention Using OWASP Web Application Firewall,” International Journal on Informatics Visualization, vol. 2, 2018.

[17] B. I. Mukhtar and M. A. Azer, “Evaluating the Modsecurity Web Application Firewall against SQL Injection Attacks,” in Proceedings of ICCES 2020 - 2020 15th International Conference on Computer Engineering and Systems, Institute of Electrical and Electronics Engineers Inc., Dec. 2020. doi: 10.1109/ICCES51560.2020.9334626.

[18] M. Alghawazi, D. Alghazzawi, and S. Alarifi, “Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review,” Journal of Cybersecurity and Privacy, vol. 2, no. 4, pp. 764–777, 2022, doi: 10.3390/jcp2040039.

[19] R. A. Muzaki, O. C. Briliyant, M. A. Hasditama, and H. Ritchi, “Improving Security of Web-Based Application Using ModSecurity and Reverse Proxy in Web Application Firewall,” in 2020 International Workshop on Big Data and Information Security (IWBIS), 2020, pp. 85–90. doi: 10.1109/IWBIS50925.2020.9255601.

[20] M. H. Syed, “Benchmarking Open-Source WAF Engines Against Modern Evasion Payloads,” SSRN preprint, 2026. doi: 10.2139/ssrn.6141529.

[21] S. Amelinckx, R. Sadre, C.-H. Bertrand, V. Ouytsel, E. Hegedüs, and S. Mihy, “Advancing continuous integration for WAF engines by developing the ModSecurity Regression Test Set,” Master's thesis, UCLouvain, Belgium, 2025.

[22] A. MK, K. S. S. Bala, S. S. T. Sonti, and J. KP, “An empirical study on the evaluation and enhancement of OWASP CRS (Core Rule Set) in ModSecurity,” Comput. Secur., vol. 160, p. 104714, 2026, doi: 10.1016/j.cose.2025.104714.

[23] F. Agostini et al., “Enhancing StoRM WebDAV data transfer performance with a new deployment architecture behind NGINX reverse proxy,” in Proceedings of Science, 2024.

[24] M. Kazemi, "Optimizing Web Service Performance: A Comparative Analysis of Load Balancing Strategies Using NGINX and HAProxy with StoRM WebDAV Deployment," Master's thesis, Telecommun. Eng., Univ. Bologna, Bologna, Italy, 2024.

[25] L. Kaptosv, “Using Redis for caching optimization in high-traffic web applications,” International Journal of Advanced Multidisciplinary Research and Studies, vol. 5, no. 4, pp. 1714–1722, 2025.

Downloads

Published

2026-04-26

Issue

Vol. 8 No. 2 (2026): April

Section

Articles

License

Copyright (c) 2026 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights

How to Cite

[1]
M. Zaedil, I. Syamsuddin, and M. N. Y. Utomo, “Coraza-Based WAF with OWASP CRS for SQL Injection in Multi-Domain Web System”, journalisi, vol. 8, no. 2, pp. 2337–2362, Apr. 2026, doi: 10.63158/journalisi.v8i2.1475.

Most read articles by the same author(s)