Research uncovers: EDR's blindness to application exploits, WAF's inability to cut through the noise

New research demonstrates cyberattacks on the application layer often evade the most common tools, Endpoint Detection and Response (EDR) and web application firewalls (WAFs). Contrast Labs spent several weeks testing several attack methods to determine whether WAFs or EDR solutions stop and/or catch most damaging software attacks. 

The Labs Team began looking into the question because of a reasonable assumption: Attacks that pass through the application layer and execute on the host will always trigger EDR alerts. The research shows EDR misses a lot of the attacks. 

WAFs operate at the network perimeter. They struggle to distinguish between inconsequential noise and genuine threats targeting application logic, often overwhelming security teams with alerts for ineffective attacks, which a SOC could potentially ignore. 

EDR solutions, while capable of identifying successful attacks at the endpoint, lack the deep application context required to understand the attack vector and implement targeted remediation. EDRs either don’t detect any application-layer attack or only see it much further along in the killchain, when things have progressed to the endpoint, long after a threat has done its damage. 

Given these shortcomings, Contrast Application Detection and Response (ADR) emerges as a crucial security layer, offering the granular visibility and contextual understanding needed to effectively identify and respond to the unique security challenges within modern applications.

To test what evades EDR detection or gets lost in a swarm of WAF alerts, researchers tested ADR, EDRs and WAFs by using attack types including:

• SQL injection
• Log4Shell
• Untrusted/insecure deserialization
• Command injection

When we say that ADR is a critical security layer that augments EDRs and WAFs, we don’t expect you to just take our word for it. Below, we cover the experiment design, results and conclusions. 

Experiment design 

To compare ADR with EDR and WAF tooling, our researchers developed a vulnerable application and an exploitation framework. This ensured that the research team could generate repeatable and comparable results among multiple tools such as EDR, WAF or ADR. The flexibility of the exploitation framework allows for testing of any combination of tools and delivers comparable results.

In some cases, the research team deployed the vulnerable application with several tools at once, as shown in the graphic above. But in other cases, the research team deployed tools independently. Because the exploitation framework has consistent and specific test cases, results from both styles of testing are comparable. 

Differing approaches required to test EDR, WAF 

When testing ADR against an EDR, the main variable measured was whether or not an alert was created for an exploit of a given vulnerability. This variable was measured so that the research team could see if an EDR tool would be capable of detecting application-layer exploitation. Researchers didn’t restrict tests to application-layer exclusive exploits such as SQL injection; testing also included OS-inclusive exploits such as path traversal and command injection.

To accurately compare ADR with EDR, researchers focused on whether an alert was generated for a given exploit. However, when testing against WAFs, a different method was used. Simply measuring alerts for exploits would have made WAFs appear more effective than they are. This is because WAFs can detect a large volume of traffic that might look suspicious, including both genuine attacks and benign "noise," such as probes against non-vulnerable pages. Therefore, instead of only counting exploit alerts, the research measured the total volume of signals, including both effective exploits and ineffective attempts. This approach was chosen because WAFs cannot distinguish between effective attacks and false positives, and it more accurately reflects how WAFs operate in a real-world environment, where they often generate a high volume of alerts, many of which are not actual threats.

When testing ADR against WAFs, researchers took a slightly different approach. Instead of only measuring whether a given exploit created an alert — which the Security Research team believed would make WAFs perform artificially well — the team measured volume of signal for a set of traffic that included effective and ineffective exploits. In other words, the traffic included attacks against both vulnerable and non-vulnerable pages, as well as directory and parameter fuzzing. The researchers chose this method because WAFs lack the ability to determine whether an attack was effective and therefore cannot discern whether a test case is a false positive: an important capability when reporting incidents to Security Operations.

Experiment results

ADR vs EDR testing

ADR vs. WAF testing

Researchers sent 10,459 requests, two of which — command injection and path traversal — are effective exploits against vulnerable pages. 

The remainder are ineffective attacks against non-vulnerable pages. Note: Contrast ADR and WAF #2 both found three events on two exploits because of overlapping detections. 

*Researchers created an additional 88 probe events. 

In the context of the WAF testing, probe events are specifically designated as ineffective attacks within the Contrast platform. These are requests sent to the application that target non-vulnerable pages or use attack payloads that are not expected to be successful against the application's logic.

Think of them as security researchers intentionally sending a lot of "noise" or "test" attacks that shouldn't actually work. The purpose of including these probe events in the WAF testing was to evaluate the WAF's ability to distinguish between this harmless noise and genuine, effective exploits targeting actual vulnerabilities.

Contrast ADR's deep application context enables it to identify probe events as non-exploitative and categorize them separately. This capability allows security teams utilizing ADR to optionally disregard these probes, thereby mitigating alert fatigue and focusing their attention on genuine threats. However, these teams retain the flexibility to analyze these probes should they choose.

Experiment conclusions

In summary, while WAFs and EDR tools are valuable components of a comprehensive security strategy, they fall short in providing truly effective application-layer detection and response. WAFs, operating at the network perimeter, struggle to distinguish between inconsequential noise and genuine threats targeting application logic, often overwhelming security teams with alerts, potentially causing SOC teams to miss alerts on true positives. 

Similarly, EDR solutions, though capable of identifying attacks at the endpoint, lack the deep application context required to understand and defend against application attack vectors. EDRs either don’t see any application-layer attack or only see it much further along in the killchain, when things have progressed into the host. That can be long after damage is done. ADR is critical to fill this gap, given that it delivers the granular visibility and contextual understanding needed to effectively identify and respond to the unique security challenges within modern applications.

Start the ADR Sandbox