There is Varnish Security Firewall project, but you can do something really simple in your VCL to protect your application:
Send a 403 to requests that contain the following characters in the url: ",',<,>,(, and ). Place in vcl_recv:
if (req.url ~ "[\x27<>()\x22]") {
return (synth(403, "Forbidden"));
}