Türkiye’deki Üniversite Web Alan Adlarında Web Uygulama Güvenlik Duvarı Dağıtımlarının Altyapı Düzeyinde Ampirik Bir Değerlendirmesi

Yıl 2026, Cilt: 8 Sayı: 1 , 44 - 55 , 30.04.2026

Hüseyin Parmaksız

https://doi.org/10.46387/bjesr.1844312

https://izlik.org/JA34KP56SC

Öz

Web Application Firewalls are essential for web security in higher education, but evaluations often rely on algorithmic measures instead of practical application. This study investigates WAF use across 204 Turkish university sites using a diverse detection methodology, including passive and active testing tools. Findings indicate a preference for cloud-based WAFs, particularly Cloudflare, while also exposing significant vulnerabilities due to misconfigurations or default settings. Despite the efficiency of well-configured cloud WAFs in mitigating common OWASP Top 10 threats, the research highlights the risks of centralized security structures, such as service outages and slow reactions to zero-day vulnerabilities. To mitigate these problems, an adaptive defense-in-depth strategy is proposed that integrates WAFs into a robust security framework with anomaly detection and host-based controls; thus providing practical insights for organizations wishing to enhance web security systems with open-source solutions.

Anahtar Kelimeler

Web Application Firewall , Cybersecurity , OWASP , CWE , IDS/IPS

An Empirical Infrastructure-Level Assessment of Web Application Firewall Deployments Across University Web Domains in Türkiye

https://izlik.org/JA34KP56SC

Öz

Web Uygulama Güvenlik Duvarları (WUGD), yükseköğretimde web güvenliği için hayati öneme sahiptir, ancak değerlendirmeler genellikle pratik uygulamadan ziyade algoritmik ölçümlere dayanmaktadır. Bu çalışma, pasif ve aktif test araçları da dahil olmak üzere çeşitli tespit metodolojileri kullanarak 204 Türk üniversite sitesinde WUGD kullanımını araştırmaktadır. Bulgular, özellikle Cloudflare olmak üzere bulut tabanlı WUGD'lere yönelik bir tercihi gösterirken, yanlış yapılandırmalar veya varsayılan ayarlar nedeniyle önemli güvenlik açıklarını da ortaya koymaktadır. İyi yapılandırılmış bulut WUGD'lerinin yaygın OWASP Top 10 tehditlerini azaltmadaki verimliliğine rağmen, araştırma, hizmet kesintileri ve sıfır gün güvenlik açıklarına yavaş tepkiler gibi merkezi güvenlik yapılarının risklerini vurgulamaktadır. Bu sorunları azaltmak için, WUGD'leri anormallik tespiti ve ana bilgisayar tabanlı kontrollerle birlikte dayanıklı bir güvenlik çerçevesine yerleştiren uyarlanabilir bir derinlemesine savunma stratejisi önerilmektedir; böylece web güvenlik sistemlerini açık kaynak sistemlerle geliştirmek isteyen kurumlar için pratik bilgiler sağlanmaktadır.

Anahtar Kelimeler

Web uygulama güvenlik duvarı , Sibergüvenlik , OWASP , CWE , IDS/IPS

Kaynakça

• H. Asghar, Z. Anwar, and K. Latif, “A deliberately insecure RDF-based Semantic Web application framework for teaching SPARQL/SPARUL injection attacks and defense mechanisms,” Computers & Security, vol. 58, pp. 63-82, 2016.
• M. Prince, “Cloudflare outage on November 18, 2025,” Cloudflare Blog, Nov. 18, 2025. [Online]. Available: https://blog.cloudflare.com/18-november-2025-outage/
• NIST National Vulnerability Database, “CVE-2025-55182: Pre-authentication remote code execution vulnerability in React Server Components,” NVD, Dec. 03, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-55182/
• KeygraphHQ, “Achieving 96.15% success on a hint-free, source-aware XBOW benchmark,” Shannon Lite Project Documentation, GitHub repository: KeygraphHQ/shannon, 2025. [Online]. Available: https://github.com/KeygraphHQ/shannon
• A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses for cross-site request forgery,” in Proceedings of the 15th ACM Conference on Computer and Communications Security, Chicago, IL, USA, pp. 75-88, Oct. 2008.
• A. Makiou, Y. Begriche, and A. Serhrouchni, “Improving Web Application Firewalls to detect advanced SQL injection attacks,” in 2014 10th International Conference on Information Assurance and Security, Okinawa, Japan, pp. 35-40, Nov. 2014.
• G. Argyros, I. Stais, A. Kiayias, and A. D. Keromytis, “Back in black: towards formal, black box analysis of sanitizers and filters,” in 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, pp. 91–109, May 2016.
• C. Torrano-Gimenez, H. T. Nguyen, G. Alvarez, and K. Franke, “Combining expert knowledge with automatic feature extraction for reliable web attack detection,” Security and Communication Networks, vol. 8, no. 16, pp. 2750-2767, 2015.
• A. M. Vartouni, S. S. Kashi, and M. Teshnehlab, “An anomaly detection method to detect web attacks using stacked auto-encoder,” in 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS), Tehran, Iran, pp. 131-134, Feb. 2018.
• A. Moradi Vartouni, M. Teshnehlab, and S. Sedighian Kashi, “Leveraging deep neural networks for anomaly-based web application firewall,” IET Information Security, vol. 13, no. 4, pp. 352–361, 2019.
• M. Ito and H. Iyatomi, “Web application firewall using character-level convolutional neural network,” in 2018 IEEE 14th International Colloquium on Signal Processing & Its Applications (CSPA), Penang, Malaysia, pp. 103-106, Mar. 2018.
• I. Kotenko, O. Lauta, K. Kribel, and I. Saenko, “LSTM neural networks for detecting anomalies caused by web application cyber attacks,” in New Trends in Intelligent Software Methodologies, Tools and Techniques, pp. 127-140. Amsterdam, The Netherlands: IOS Press, 2021.
• S. Toprak and A. G. Yavuz, “Web application firewall based on anomaly detection using deep learning,” Acta Infologica, vol. 6, no. 2, pp. 219-244, 2022.
• A. Tekerek and O. F. Bay, “Design and implementation of an artificial intelligence-based web application firewall model,” Neural Network World, no. 4, 2019.
• H. Gu, J. Zhang, T. Liu, M. Hu, J. Zhou, T. Wei, and M. Chen, “DIAVA: a traffic-based framework for detection of SQL injection attacks and vulnerability analysis of leaked data,” IEEE Transactions on Reliability, vol. 69, no. 1, pp. 188-202, 2019.
• A. Shaheed and M. B. Kurdy, “Web application firewall using machine learning and features engineering,” Security and Communication Networks, vol. 2022, no. 1, Art. no. 5280158, 2022.
• J. Á. Román-Gallego, M. L. Pérez-Delgado, M. L. Viñuela, and M. C. Vega-Hernández, “Artificial Intelligence Web Application Firewall for advanced detection of web injection attacks,” Expert Systems, vol. 42, no. 1, Art. no. e13505, 2025.
• T. Liu, Y. Qi, L. Shi, and J. Yan, “Locate-Then-Detect: real-time web attack detection via attention-based deep neural networks,” in Proceedings of the International Joint Conference on Artificial Intelligence (IJCAI), Macao, China, pp. 4725-4731, Aug. 2019.
• J. Yang, Y. Wu, Y. Yuan, H. Xue, S. Bourouis, M. Abdel-Salam, et al., “LLM-AE-MP: web attack detection using a large language model with autoencoder and multilayer perceptron,” Expert Systems with Applications, vol. 274, Art. no. 126982, 2025.
• L. Demetrio, A. Valenza, G. Costa, and G. Lagorio, “Waf-a-mole: evading web application firewalls through adversarial machine learning,” in Proceedings of the 35th Annual ACM Symposium on Applied Computing, Brno, Czech Republic, pp. 1745-1752, Mar. 2020.
• A. Valenza, L. Demetrio, G. Costa, and G. Lagorio, “WAF-A-MoLE: an adversarial tool for assessing ML-based WAFs,” SoftwareX, vol. 11, Art. no. 100367, 2020.
• B. Garn, D. S. Lang, M. Leithner, D. R. Kuhn, R. Kacker, and D. E. Simos, “Combinatorially XSSing web application firewalls,” in 2021 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), Porto, Portugal, pp. 85-94, Apr. 2021.
• M. Amouei, M. Rezvani, and M. Fateh, “RAT: reinforcement-learning-driven and adaptive testing for vulnerability discovery in web application firewalls,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 5, pp. 3371-3386, 2021.
• H. Liang, X. Li, D. Xiao, J. Liu, Y. Zhou, A. Wang, and J. Li, “Generative pre-trained transformer-based reinforcement learning for testing web application firewalls,” IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 1, pp. 309-324, 2023.
• Z. Qu, X. Ling, T. Wang, X. Chen, S. Ji, and C. Wu, “AdvSQLi: generating adversarial SQL injections against real-world WAF-as-a-service,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 2623–2638, 2024.
• D. Appelt, C. D. Nguyen, A. Panichella, and L. C. Briand, “A machine-learning-driven evolutionary approach for testing web application firewalls,” IEEE Transactions on Reliability, vol. 67, no. 3, pp. 733-757, 2018.
• M. Sepczuk, “Dynamic web application firewall detection supported by cyber mimic defense approach,” Journal of Network and Computer Applications, vol. 213, Art. no. 103596, 2023.