ADR catches the SQLi, unsafe deserialization & path traversal attacks WAFs/EDRs miss

If your tools can’t see what’s happening inside your apps and application programming interfaces (APIs), they can’t stop breaches. And the truth is, perimeter and endpoint tools were never designed to detect the real mechanics of modern application-layer attacks.

This is an urgent matter. The 2025 Verizon Data Breach Investigations Report (DBIR) underscores a stark reality: Vulnerability exploitations are escalating. They now constitute 20% of all breaches, marking a notable 34% increase from the previous year as a primary initial access method. This escalating trend places immense pressure on security operations teams responsible for safeguarding vital applications and APIs, which frequently serve as the initial gateways for malicious actors.

Specifically, we're witnessing a surge in application-layer attacks like SQL injection, which can lead to data breaches and manipulation; Cross-Site Scripting (XSS) that can hijack user sessions and steal sensitive information; and path traversal, which exposes sensitive files and system commands.

While web application firewalls (WAFs) and Endpoint Detection and Response (EDR) solutions are critical tools, they often struggle to detect these sophisticated attacks within the application logic itself. Read on to learn why, and how Application Detection and Response sheds light on these blindspots. 

The inherent limitations of traditional tools

While perimeter and endpoint security tools remain foundational, their effectiveness in addressing the nuances of application-layer threats is increasingly limited.

• WAFs: These defenses operate at the network edge, struggling to differentiate between benign traffic and genuine threats that target complex application logic. Thus, they often miss SQL injection or XSS attempts cleverly embedded within legitimate-looking traffic, meaning an attacker could gain access to critical data right under the radar. Because they have a hard time discerning genuine threats, WAFs can create  an overwhelming volume of alerts, making it difficult to discern actual malicious activity from inconsequential noise.
  Our research indicates that WAF signals exhibit less than a 0.25% correlation to real exploits. This means that for every thousand "suspicious" events flagged by a WAF, fewer than three truly represent an active attack attempt that could cause harm. This high noise-to-signal ratio inevitably leads to alert fatigue, increasing the risk that security teams might inadvertently overlook genuine threats amidst the flood of notifications.
  
  
• Endpoint Detection and Response (EDR) solutions: While invaluable for monitoring activity at the operating system and kernel levels, EDR solutions fundamentally lack the deep application context necessary to understand the intricacies of application-layer attacks. While EDRs protect the endpoints, they won't see the data exfiltration from successful SQL injection. EDRs may not detect application-layer attacks at all, or they might only perceive them much later in the kill chain, once the threat has progressed to the endpoint and potentially inflicted damage. This creates a critical visibility gap where advanced threats exploiting application logic can operate effectively, unnoticed by traditional defenses.
  
  

Introducing Application Detection and Response (ADR)

This is precisely where Contrast Application Detection and Response (ADR) emerges as a crucial, complementary security layer, specifically engineered to address this visibility gap within modern applications. 

Unlike external tools, Contrast ADR functions directly from inside each application's runtime. It leverages lightweight threat sensors that integrate seamlessly within the application, providing continuous, deep runtime context. This unique vantage point allows ADR to observe actual code execution, data flow, library usage, configuration, and backend connections precisely as the application processes them. This means Contrast ADR operates on the "ground truth" of how an application handles data after it has been processed by frameworks, offering a clarity that external tools cannot match.

Contrast ADR utilizes this internal visibility to perform behavioral detection. Instead of relying on static signatures or monitoring system calls from an external perspective, ADR tracks data flow and analyzes code logic as it executes within the runtime. This enables it to identify behavioral anomalies and malicious patterns based on their actual runtime interactions, pinpointing only genuine threats. 

More specifically, below you’ll find the attacks that tools such as EDR and WAFs may miss due to their inherent limitations — attacks that ADR detects.

Attack types detected by ADR

Contrast ADR provides comprehensive coverage against a wide array of critical and sophisticated application attack types. This includes, but is not limited to:

• Injection attacks: SQL Injection, NoSQL Injection, Command Injection, OGNL Injection, JNDI Injection.
  SQL Injection can grant attackers full access to your database, allowing them to steal, modify, or delete sensitive data. This could result in financial loss, regulatory fines and severe reputational damage.
• Cross-Site Scripting (XSS): Including Reflected XSS. 
  Successful XSS attacks can allow malicious actors to inject scripts into your web pages, stealing user credentials and session cookies, and even redirecting users to malicious sites. This can compromise user privacy and security, leading to identity theft and data loss.
• Deserialization abuse: Unsafe deserialization, ClassLoader manipulation. Deserialization abuse exploits vulnerabilities in how applications process serialized data.Deserialization abuse occurs when an application deserializes data from untrusted sources without proper validation. Attackers can manipulate the serialized data to inject malicious code or alter the object's state in unexpected ways. This can lead to several severe consequences, including remote code execution (RCE), data tampering/manipulation, denial of service (DoS) or disclosure of sensitive information. 
• File & path attacks: Path traversal, unsafe file upload. Path traversal attacks enable unauthorized access to system files and directories, potentially exposing sensitive configuration data, passwords, or even allowing the attacker to execute arbitrary commands on the server. This can lead to complete system compromise.
• XML External Entities (XXE): XXE vulnerabilities allow attackers to manipulate XML processing to access unintended resources or trigger unexpected behavior in the application. When the application parses malicious XML, it might inadvertently fetch and process external entities, potentially leading to data leakage, server-side request forgery (SSRF) or DoS.

Distinct advantages of Contrast ADR

While WAFs and EDRs leave gaps, ADR provides complete visibility into these complex attacks by seeing exactly how data is handled by the application. The reason that ADR can detect these complicated attacks is that it operates from within the application.This provides unparalleled benefits:

• True application context: While OS-level tools might observe system calls, Contrast ADR understands the specific application logic that initiated those calls, providing crucial context. It sees data exactly as the application logic handles it, which is vital for accurate threat identification.
  
  
• Unmatched accuracy: Contrast ADR delivers a 100% correlation to real exploits, ensuring security teams are alerted to actual threats like active data exfiltration via SQL injection, not just background noise. This exceptional accuracy stands in stark contrast to the noise generated by WAFs, empowering security teams to prioritize high-fidelity alerts that originate from deep within the application. This approach significantly reduces alert fatigue and ensures that attention is directed towards genuine threats.
  
  
• Protection against entire vulnerability classes: By focusing on the underlying techniques of attacks rather than just known patterns, Contrast ADR provides inherent protection against novel variants and zero-day attacks that exploit known vulnerability classes, such as SQL injection or path traversal. This capability allows ADR to effectively neutralize core attack behaviors, significantly enhancing proactive defense.
  
  

Effective protection and precision response

When an attack is detected, Contrast ADR is designed for effective protection. It can intervene with precision exactly where needed, halting the specific malicious operation or request within the runtime. This capability allows for active blocking that neutralizes exploits without impacting legitimate users or disrupting business operations. For instance, it can apply targeted controls and sandboxing during high-risk operations to prevent known exploit paths from executing.

Actionable intelligence and workflow integration

Furthermore, Contrast ADR provides rich, actionable intelligence that seamlessly integrates with existing security operations tools, such as SIEM platforms and ticketing systems. Every alert includes precise context, such as the exact line of code, full data details, stack traces and environmental specifics. This granular information drastically reduces Mean Time To Detect (MTTD) and Mean Time To Identify (MTTI), while accelerating Mean Time To Respond (MTTR). This empowers security operations teams to correlate deep application insights with data from across their entire security stack, incorporating accurate application threats into their established workflows.

Empowering security operations

In conclusion, while WAFs and EDRs remain valuable components of a holistic security strategy, they possess inherent limitations when it comes to the complex and dynamic application layer. Contrast ADR fills this critical gap by providing the unparalleled visibility, accuracy and precise response capabilities necessary to effectively identify and mitigate specific security challenges within modern applications, such as SQL Injection, XSS and path traversal attacks. It complements existing tools by providing much-needed application context, enabling platform and security engineering teams to gain control over application risk and protect against the threats that matter most.