Web attacks are one of the most concern these days. Vulnerable applications require protection, which can be provided through web application firewalls (WAF) and web intrusion detection systems (WIDS). Some of them are signature based and some detect / protect through anomaly detection. Various commercial solutions have been offered by vendors like CISCO ACE application firewall, Barracuda application firewall etc. Open source community has also contributed some formidable solutions like ModSecurity, PHPIDS, Ironbee, WebKnight and Snort etc. No solution has yet proven to be the silver bullet and this area is still a subject of active research. Inability to detect any novel attack has been the common weakness and has lead to various techniques being proposed for identifying zero-day attacks. In this paper, we analyze various commercial and open source web application protection solutions and make comparative analyses of their strengths andweaknesses, identifying any areas that still need attention of the research community.