RSS

The WAF blocked the obvious. Here is what it missed

gagancm1 pts0 comments

The WAF blocked the obvious. Here is what it missed. · Arcis Blog

A WAF lives at the network edge and matches patterns against raw HTTP. Inside the application, the same request looks different. Parsed JSON, normalized cookies, framework-specific shapes. The gap between the two views is where 2026 attacks live.

The takeaways.

A WAF matches patterns against raw HTTP bytes. By the time the request reaches your handler, the data has been parsed, normalized, and type-coerced into something the WAF cannot see.

Three classes of information only the inside knows: post-parsing semantics, route/handler context, and framework-specific risk shapes.

The 2026 trend pushing more attack surface inside the boundary: structured data on the wire, agent-shaped requests, and the explosion of framework adapters.

The WAF is not retired. It is the first of two layers, not the whole defense.

The first time someone showed me a WAF rule that "blocks SQL injection," I was impressed. The rule matched UNION SELECT and a dozen variants. It was case-insensitive. It even decoded a few layers of URL encoding before matching. From the outside, that looks like protection.

Then they showed me the production traffic. Real attackers do not send UNION SELECT. They send something that decodes to UNION SELECT after seven layers of transformation that depend on which framework parses the request, which database driver builds the query, and which middleware ran in between. The WAF saw the raw bytes. It never saw the string the database eventually parsed.

That gap is the story of modern web security. A WAF guards the outside boundary. The attacks that matter in 2026 happen inside it.

What a WAF actually sees

A web application firewall lives at the network edge. Cloudflare, AWS WAF, NGINX with ModSecurity. Take your pick. They all share a constraint: they inspect the HTTP request as it arrives, before any application code touches it.

The request they see is a sequence of bytes. URL-encoded query string. Maybe percent-encoded body. Cookies as a flat string. Headers in their wire format. The WAF has rules. The rules match patterns. If a pattern matches, the request is blocked or flagged. If not, it goes through.

This works well for a class of attacks. If someone literally types '; DROP TABLE users; -- into a URL parameter and your WAF has a SQL pattern that catches it, you blocked something useful. The problem is that this class is shrinking.

The same request, two different views

Consider a JSON POST body. The WAF sees:

POST /api/users HTTP/1.1<br>Content-Type: application/json<br>Content-Length: 87

{"name":"Alice","email":"alice@example.com","role":"user","verified":false}

The WAF runs its pattern matchers against those exact bytes. Maybe it tries to JSON-decode them. Maybe it does not. Either way, by the time the request reaches your Express handler, the same data looks like this:

req.body = {<br>name: 'Alice',<br>email: 'alice@example.com',<br>role: 'user',<br>verified: false

If the attacker changed the body to include an unexpected field, say "isAdmin": true, the WAF saw a JSON blob with a key that looks innocent. Inside the app, that key gets mass-assigned to a user model that quietly grants admin rights, because nothing in your handler told it which fields are safe to accept. The WAF cannot help here. It does not know which fields your User model has. It does not know that isAdmin is a privileged field. It saw bytes.

This is the shape of every modern bypass. The WAF and the application see the same request differently, and the attacker only needs to live in the seam.

The Log4Shell precedent. When CVE-2021-44228 dropped in December 2021, every major WAF shipped a rule matching ${jndi:ldap://} within hours. Within days, attackers were sending payloads with nested expressions like ${${lower:j}ndi:${lower:l}dap://} that the Log4j lookup resolver happily interpreted but the WAF regex did not. Cloudflare, AWS, and Akamai all shipped a second wave of rules within a week. The pattern repeats with every parser-aware attack: the WAF can only match what it has been taught. The attacker has the parser, and the parser is more powerful than the matcher.

Three things only the inside knows

The view from inside the app has information a WAF structurally cannot have. Three categories.

Post-parsing semantics. By the time your handler runs, the request body has been decoded, normalized, type-coerced, and bound to your model layer. The WAF saw bytes; you have objects. A nested object inside a JSON body, deeply percent-encoded, perhaps containing MongoDB query operators, is hard to pattern-match at the edge. Inside the app, it is a dictionary. You can walk it and reason about it.

Route and handler context. The same URL /api/profile means one thing for a GET (read your profile) and another for a PATCH (update it). The same JSON body is safe for one and dangerous for the other. A WAF rule that fires on every JSON body has no way to express "this field is...

request inside json body bytes handler

Related Articles

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.