Web application firewall (WAF)

A WAF is a network defense that filters, monitors and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between servers, a WAF is able to watch application-level traffic and decide to allow or disallow based on the data that is visible over the network. WAF security typically performs Secure Socket Layer (SSL) termination to watch decrypted traffic for pattern-matching or volumetric attacks. Organizations often deploy WAFs to detect and block known threats, but WAFs alone cannot protect modern applications from exploitation.

What are some types of web application firewalls (WAF)?

WAFs may come in the form of an appliance, a server plugin, a filter or a WAF operated by a cloud or service provider. WAFs can be customized to an application, but the effort to perform this customization can be significant and needs to be maintained as the application is modified. The ideal solution is one that provides continuous visibility, application intelligence and very rapid response.

Benefits of a web application firewall (WAF)

By adding a WAF, an organization can proactively address threats, hackers, bots and vulnerabilities that can lead to expensive attacks. WAFs act as a shield at the perimeter, inspecting incoming traffic for malicious payloads associated with known attack patterns.

They offer several advantages:

• Ease of deployment: WAFs are often deployed at the network level, requiring minimal configuration for existing applications.
• Perimeter defense: WAFs positioned at the network or cloud perimeter are uniquely positioned to defend against Distributed Denial of Service (DDoS) attacks and known bad actors.
• Centralized management: Security teams can manage WAF rules from a central location, simplifying security policy enforcement.
• Protection from common attacks: WAFs are designed to block common attacks like SQL injection and cross-site scripting (XSS) by identifying known attack signatures.

WAFs and compliance standards

Many legal guidelines and industry frameworks, like NIST CSF 2.0, don’t specifically require WAFs or other specific technologies. However, it is worthwhile to note that when the latest version of Payment Card Industry Data Security Standards (PCI DSS) framework goes into effect in March 2025, WAFs will be required, along with authenticated vulnerability scans and other technologies and frameworks.

Are there disadvantages of a web application firewall (WAF)?

Rule-based WAFs must be configured and maintained in order to achieve sufficient protection. Organizations must also adjust the configurations and rules as their organization grows and/or changes.

Other key limitations to note with WAFs:

• Limited context: WAFs rely solely on the content of the request (i.e., the payload) for analysis, making them vulnerable to attacks that exploit application logic flaws.
• False positives: Due to the inherent nature of signature detection, WAFs can generate false positives, blocking legitimate traffic and disrupting application functionality.
• Vulnerable to zero-day attacks: WAFs are ineffective against new and unknown vulnerabilities (i.e., zero days) until their signatures are added to the WAF rule set.
• Ineffective security operations center (SOC) integration: Even when organizations have WAFs in place, they often fail to configure them to feed detailed application-level information to their SOC.

A WAF can watch data that goes over the network, but its architecture does not enable it to see how that data is actually used. As a result, a WAF sounds an equal alarm for all attack attempts without raising the importance for attacks that could actually work. This is inefficient, as it can require SOC teams to investigate issues that may not be relevant and can result in constant manual tuning or auto-tuning. Success depends on information that WAFs simply do not have.

WAFs primarily analyze the content of incoming requests. They might spot an unusually structured data payload, but they often lack the context to understand how an application will process that data during deserialization. This means attacks that exploit application logic flaws in the deserialization process can slip through a WAF’s defenses.

There’s a similar dynamic at play with zero-day attacks. Until specific signatures are released, WAFs have little chance of stopping zero-day exploits like Log4Shell attacks.

Benefits of supplementing a WAF with Contrast ADR

By combining WAF and ADR, organizations can achieve a more comprehensive and future-proof Application Security (AppSec) posture, significantly reducing the risk of successful cyberattacks.

This layered approach offers several benefits:

• Comprehensive security: Addresses a wider range of threats, including known and unknown vulnerabilities.
• Reduced risk: Minimizes the attack surface and potential damage from breaches.
• Improved efficiency: WAFs can be configured to handle only common attacks and to let other traffic flow through without spending time on analysis. This frees up time for ADR to focus on more complex threats. ADR usually takes less time for analyzing such attacks, as it sees what happens and does not have to rely on probability analysis or guesswork like a WAF would.

ADR technology in particular is especially beneficial for protecting applications in production because it works within the application itself. This approach offers several key advantages:

• Deep application visibility: ADR provides insight into code execution and data flow, offering a level of visibility that perimeter solutions simply cannot match.
• Context-aware detection: By understanding the application's behavior, ADR can more accurately distinguish between legitimate actions and genuine threats, significantly reducing false positives.
• Zero-day vulnerability protection: ADR's deep application insight allows it to detect and respond to novel attack patterns, providing better protection against zero-day vulnerabilities.
• Defense-in-depth for WAF bypass: ADR serves as a crucial second line of defense, capable of detecting threats that have successfully bypassed WAF protections.
• Rich, actionable intelligence: ADR can provide detailed, context-rich information about application-level threats directly to SOC teams, closing the visibility gap and enabling more effective threat response.

By implementing ADR, organizations can fill this critical gap in their security posture that WAFs don’t cover, gaining the ability to detect and respond to sophisticated application-level threats that existing solutions might miss. Contrast Security employs innovative ADR technology to detect and prevent attacks like zero-day exploits at multiple stages.

How Contrast ADR addresses threats that WAFs miss

WAF bypasses are techniques attackers use to render WAF security controls ineffective. These include methods to sneak malicious payloads past the WAF's signature-based protections, or outright avoidance of the WAF entry point to the application.

To get a sense of how Contrast ADR supplements WAFs, consider an attack against the infamous Log4Shell vulnerability (CVE-2021-44228), which affects the common Java logging framework Log4j. As the following  overview shows, attacks against the Log4Shell vulnerability can be obfuscated, making them hard to detect through simple pattern matching of network-level protections.

1. The attack begins when a malicious actor sends a specially crafted request to a vulnerable application. This request contains a Java Naming and Directory Interface (JNDI) lookup string.
2. When the vulnerable Log4j version processes this string, it interprets the string’s JNDI expression part as an expression to be evaluated. This evaluation causes the application to perform a JNDI lookup, reaching out to the attacker-controlled Lightweight Directory Access Protocol (LDAP) server specified in the string.
3. The attacker's LDAP server responds with an Expression Language (EL) injection payload. Due to the nature of JNDI and how Log4j processes the response, this payload is treated as an EL expression to be evaluated.
4. The EL expression typically contains malicious code designed to exploit the EL interpreter. This could include commands to download and execute additional malware, exfiltrate data, or establish a backdoor in the system.
5. As the EL interpreter evaluates the injected expression, it executes the malicious code within the context of the vulnerable application. This gives the attacker a foothold into the system, often with the same privileges as the application itself.

When Contrast ADR is in place, attacks targeting the same vulnerability that a WAF may miss are more effectively addressed. For example, here’s a high-level overview of how Contrast ADR addresses an attack targeting the Log4Shell vulnerability:

1. Contrast Runtime Security identifies the malicious JNDI lookup attempt by enhancing the security settings of the Java Virtual Machine (JVM) to prevent abuse of JNDI capabilities.
2. Contrast Runtime Security identifies EL injection attempts and protects against them by enhancing the JVM's security settings to prevent abuse of the JVM's EL processor capabilities.
3. In the unlikely event that malicious code is loaded, the Contrast Runtime Security Platform utilizes command injection protection and process hardening to prevent attacker payloads from reaching sensitive application programming interfaces (APIs).

For an additional example of attacks that WAFs miss but Contrast ADR addresses, check out our white paper on The Case for Application Detection and Response (ADR). In it, Jeff Williams, Founder and CTO of Contrast Security, highlights how ADR addresses unsafe deserialization attacks that WAFs too frequently miss.

By understanding the anatomy of modern attacks and leveraging cutting-edge ADR solutions, organizations can significantly enhance their security posture, minimize risk and stay ahead of emerging threats. As a security decision-maker, investing in ADR technology is not just a security measure — it's a strategic imperative for safeguarding your organization's digital assets in today's threat landscape.