In issue 272 of APISecurity.io, we cover news of a significant vulnerability in Radware’s Web Application Firewall (WAF). The incident demonstrated how unexpected input could slip past the WAF’s defenses, allowing malicious requests to reach backend systems.
One standout example involved a GET request with a body payload, an unusual combination. GET requests typically don’t include a request body. However, researchers discovered that when a body was added the Radware WAF, which didn’t expect a body in a GET request, let the traffic through, bypassing the WAFs security entirely.
This incident highlights a fundamental limitation of traditional WAFs: they rely heavily on pattern recognition and predefined rule sets. When input doesn’t match expected formats, or when it’s deliberately malformed, these systems can be easily tricked and bypassed.
How 42Crunch Takes a Different Approach
The 42Crunch approach is fundamentally different. Rather than looking for suspicious patterns, the 42Crunch API security only permits requests that strictly conform to what the developer defines for the API. If a request doesn’t match the definition, it’s blocked, no exceptions.
Here’s how this approach directly counters the type of issue exposed in the Radware WAF:
-
Contract-Based Enforcement
The security is customized for each API based on its API specification, which specifies allowed data properties, security requirements, and even the structure of API requests.The 42Crunch API security uses this as the reliable source of truth.
-
Real-time Security by Design
If the API spec doesn’t explicitly permit a body in a GET request, then any GET request with a body is automatically blocked. There’s no ambiguity, and no reliance on guesswork or heuristics.
-
No Room for False Results
Since validation is based on explicit definitions, the runtime security never gets “confused” by unexpected input. It simply checks whether the incoming request matches the allowed format. If it doesn’t, the request is rejected, simple and secure.
Developers Define, 42Crunch Enforces
At the core of 42Crunch’s model is a powerful idea: developers know their APIs best. They’re the most accurate source of what’s valid and what isn’t. 42Crunch bakes this philosophy into an automated, secure pipeline:
-
Define the API using an OpenAPI specification.
-
Validate the definition with automated checks for structural, semantic, and industry-standard compliance.
-
Dynamically test the API to confirm it behaves according to its definition.
-
Enforce at runtime based on the validated API contract.
This ensures complete alignment between your code, documentation, and runtime behavior, eliminating gaps where vulnerabilities like the Radware WAF bug can arise. You can see this in action with a short video demonstration.
Conclusion: Why Definition-Driven Security Matters
Traditional WAFs have their place, but they often fall short when it comes to APIs, which require precise, context-aware security, tailored to the specifics of each API.
The 42Crunch API Security platform delivers definition-driven enforcement, a smarter, stronger defense built around how your API is supposed to work. By auditing the developer’s API contract and blocking everything that falls outside it, 42Crunch provides a level of protection that traditional, pattern-matching WAFs simply can’t match, especially at the speed and scale of modern API ecosystems.
