Web applications pose new security-related challengessince attacks on web applications strongly differ from thoseon client-server applications. Traditional network-basedfirewall systems offer no protection against this kind of at-tacks since they occur on the application-level. The cur-rent solution is the manual definition of large sets of filter-ing rules which should prevent malicious attempts from be-ing successful. We propose a new framework which shouldavoid this tedious work. The basic idea is the definition of adescription language for positive security models taking theparticularities of web applications into account. We thenpresent adaptive techniques which employ this descriptionlanguage in order to describe the valid communication toa given web application. The simplicity of the descriptionlanguage allows the easy identification of unintentionallyincorporated vulnerabilities. Experiments for several real-world web applications demonstrate the usefulness of theproposed approach.