To address WAF evasion caused by obfuscated malicious payloads that evade detection, this paper proposes the first learning-driven, closed-loop framework for WAF vulnerability discovery and automatic repair. Methodologically, it employs a shadow model to approximate the WAF’s decision boundary, integrates adversarial payload generation with hierarchical clustering to identify detection blind spots, and synthesizes high-precision, regex-based repair signatures via regular expression synthesis and incremental rule patching. Its key innovation lies in the deep coupling of shadow modeling, clustering-guided payload evolution, and interpretable rule synthesis—enabling precise, zero-false-positive repairs. Experiments on eight real-world WAFs demonstrate that the true rejection rate for obfuscated payloads increases from 21% to 96%, while the false acceptance rate drops by a factor of three compared to state-of-the-art methods, significantly enhancing detection robustness and practical deployability.

Web application firewall (WAF) examines malicious traffic to and from a web application via a set of security rules. It plays a significant role in securing Web applications against web attacks. However, as web attacks grow in sophistication, it is becoming increasingly difficult for WAFs to block the mutated malicious payloads designed to bypass their defenses. In response to this critical security issue, we have developed a novel learning-based framework called WAFBOOSTER, designed to unveil potential bypasses in WAF detections and suggest rules to fortify their security. Using a combination of shadow models and payload generation techniques, we can identify malicious payloads and remove or modify them as needed. WAFBOOSTER generates signatures for these malicious payloads using advanced clustering and regular expression matching techniques to repair any security gaps we uncover. In our comprehensive evaluation of eight real-world WAFs, WAFBOOSTER improved the true rejection rate of mutated malicious payloads from 21% to 96%, with no false rejections. WAFBOOSTER achieves a false acceptance rate 3X lower than state-of-the-art methods for generating malicious payloads. With WAFBOOSTER, we have taken a step forward in securing web applications against the ever-evolving threats.