Which of the following web application threats is not typically mitigated by installing a WAF? (Select the best answer.)
- exploits related to uncloaked error messages
- exploits against known vulnerabilities
- exploits related to directory traversal vulnerabilities
- exploits against unknown vulnerabilities
- exploits related to viruses in file uploads
Of the available choices, exploits related to unknown vulnerabilities are not typically mitigated by installing a web application firewall (WAF). A WAF sits between a web application and the end user in order to protect the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to protect a vulnerable web application without modifying the application code.
WAFs are not typically capable of protecting a web application against unknown vulnerabilities. WAFs can protect against known or common unpatched web application vulnerabilities by using techniques such as cloaking to protect against information leakage related to uncloaked error messages, encrypting Uniform Resource Locators (URLs) to protect against exploits related to directory traversal, and checking file uploads for viruses.