Protect against Log4J without patching
Learn More
Protect against Log4J without patching
Learn More

UncategorizedK2 Cyber Security | Control Flow Integrity | WAF


January 27, 2020 By Jayant Shukla, CTO & Co-Founder
Where Do Web Application Firewalls (WAFs) Fail?

Some of the highest profile breaches over the past few years were due to vulnerabilities in web applications.

Web application firewalls (WAFs) along with application vulnerability management (AVM) are the two central pillars of web application protection. Application vulnerability management via static/dynamic/interactive application security testing is used to detect and mitigate vulnerabilities in application before they are deployed in production. Not all vulnerabilities in the application can be detected in the testing phase before its deployment. In production, the onus for protecting web applications against attacks mostly rests on the WAFs.

In the light of these high profile breaches, the question arises about where and why WAFs fail and what can an enterprise do to improve its security posture against advanced attacks!

To understand some of the fundamental limitations of WAFs, let’s examine one such breach which happened at Equifax.

Equifax (Remote Code Execution Attack):

A critical Apache Struts vulnerability (CVE-2017-5638) was discovered and fixed two months before the Equifax attack. The assertion is that Equifax failed to update its software and the attacker was able to exploit the vulnerability in Struts 2 open graph navigation language (OGNL) runtime to execute code remotely on Equifax servers and gain unauthorized access. At K2, we ran the exploit against a vulnerable Struts application to execute the “ls” command on the server.

Below is the content sent to the vulnerable server that processes OGNL expressions sent as multipart form data and executes the command contained in it (shown in red).

In order for the WAF to detect that incoming content will result in command execution, it must decode and parse the content and match it with a known pattern. This approach has two problems. A) The WAF must know the pattern ahead of time, and B) It must have sufficient compute resources to match the known patterns (N) in the incoming data (M) that has computational cost ~0(NM). In the case of the exploitation of the Struts2 vulnerability, the pattern was not known and the WAF missed the attack. Therefore, we expect remote code execution attacks will remain one of the most dangerous category of attacks that WAFs will not be able to adequately defend against.


The increasing sophistication of attacks on web applications is outpacing the capabilities of WAFs. These attacks exploit nuances in modern web applications and cloud infrastructure that cannot be easily understood by WAFs and detected via a pattern matching based approach. A new approach is required to defend against these attacks and that approach must go beyond pattern matching and should be aware of application execution to differentiate between legitimate actions of the applications from attacks.

If you’re relying on a WAF to secure your web infrastructure, you should evaluate K2 Cyber Security’s next generation workload protection platform, offering application execution validation as part of our security offering.  K2’s easy to deploy non-invasive agent installs in minutes and uses a deterministic technique of Optimized Control Flow Integrity (OCFI) to automatically create a DNA map of each application at runtime, which is used to determine that your application is executing correctly, offering extremely accurate attack detection that eliminates false alerts.

If you’re looking for an application security solution that meets today’s needs for security, with true zero-day attack detection and no false alerts, you can request a demo or follow up from our sales team.

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


K2 Cyber Security delivers the Next Generation Application Security Platform to secure web applications and container workloads against sophisticated attacks in OWASP Top 10 and provides exploitable vulnerability detection during pre-production. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production/QA servers for interactive application security testing to identify the location of the vulnerable code. K2’s solution generates almost no false positives, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools like Web Application Firewalls and host based EDR, finds missed exploitable vulnerabilities and dramatically reduces security cost. K2 Cyber Security is headquartered in the USA and provides cyber security solutions globally.


K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131