Back to Home

WAF 2026 Comparison: Check Point Test Results and Padding Evasion Attacks

The article presents the results of independent Web Application Firewall (WAF) testing by Check Point in 2026. It analyzes the effectiveness of popular solutions against new Padding Evasion attacks, such as React2Shell, and provides WAF selection recommendations based on key security and detection metrics.

WAF 2026: only 2 solutions passed the padding attacks test
Advertisement 728x90

2026 WAF Comparison: How Padding Evasion Attacks Are Changing the Game

Check Point's testing revealed that most WAFs are vulnerable to new padding-based attacks like React2Shell. Only two solutions provided full coverage, while others either missed threats or blocked legitimate traffic.

Architectural Limitations of Traditional WAFs

Traditional WAFs relying on signature-based analysis are showing growing limitations against sophisticated malware. Tests from 2024-25 already highlighted this issue, but in 2026, the introduction of the Padding Evasion attack vector completely changed evaluation criteria. This technique lets attackers hide malicious code in massive amounts of "junk" data, bypassing standard 8-128 KB inspection buffers.

Key Metrics: Security vs. Detection

When choosing a WAF, two critical parameters often clash:

Google AdInline article slot
  • Security Quality (True Positive Rate) — the ability to accurately identify and block malicious requests.
  • Detection Quality (False Positive Rate) — the ability to let legitimate traffic through without false alarms.

An ideal WAF balances both. For objective evaluation, we use Balanced Accuracy — the average of these two metrics.

Testing Results for Top WAFs

In December 2025, Check Point tested 13 configurations of popular WAFs, including solutions from Microsoft Azure, AWS, Cloudflare, F5, Google, Fortinet, and Imperva. Tests used:

  • 1,040,242 legitimate HTTP requests from 692 real websites.
  • 74,284 malicious combinations from common attack vectors.

Results by balanced accuracy:

Google AdInline article slot
  • open-appsec / CloudGuard WAF (critical profile) — 99.453%
  • open-appsec / CloudGuard WAF (default profile) — 99.283%
  • F5 NGINX App Protect WAF — 94.071%

Extreme cases highlight the imbalance:

  • Imperva Cloud WAF had excellent detection (0.009% false positives) but missed 88.03% of real threats.
  • Microsoft Azure WAF blocked 97.537% of threats but triggered 54.412% false positives, disrupting app functionality.

The Padding Evasion Threat and Three WAF Behaviors

Introducing Padding Evasion datasets (using CVE-2025-55182 in React2Shell) exposed core architectural differences. Large payloads hidden in junk data test not just signature databases but request processing mechanisms. Testing revealed three behaviors:

  • Fail Open — WAF inspects only part of the request (e.g., first 128 KB), misses the threat, and passes the whole thing. Result: Vulnerable to zero-days.
  • Fail Close — WAF sees the request exceeds its buffer and blocks it entirely. Result: High false positives, blocking legit large requests (JSON, file uploads).
  • Full Coverage — WAF analyzes the entire request body regardless of size, catching hidden threats without blocking legit traffic. Result: Optimal protection.

WAF Behavior Comparison on Padding Evasion Attacks

| WAF | Behavior on Large Requests | Result | Status |

Google AdInline article slot

| :--- | :--- | :--- | :--- |

| open-appsec / CloudGuard WAF | Full Coverage | Protected | ✅ |

| Google Cloud Armor | Full Coverage | Protected | ✅ |

| Microsoft Azure WAF | Fail Close | Blocks Legit Requests | ❌ |

| AWS WAF (Managed & F5 Rules) | Fail Close | Blocks Legit Requests | ❌ |

| Cloudflare WAF | Fail Open | Vulnerable to Padding Evasion | ❌ |

| F5 NGINX AppProtect | Fail Open | Vulnerable to Padding Evasion | ❌ |

| F5 BIG-IP Advanced WAF | Fail Open | Vulnerable to Padding Evasion | ❌ |

| Fortinet FortiAppSec | Fail Open | Vulnerable to Padding Evasion | ❌ |

Only open-appsec/CloudGuard and Google Cloud Armor achieved Full Coverage. Most, including Cloudflare, F5, and Fortinet, use Fail Open, leaving apps exposed. AWS and Azure opt for Fail Close, sacrificing usability for security.

Evolution of Testing Tools and Anomalies

Testing tools have evolved into a full platform with PDF reports, result visualizations, and log examples. Docker support enables quick express checks. But tests uncovered an anomaly: Imperva Cloud WAF blocked 100% of testing tool traffic, including legit requests — pointing to aggressive heuristics targeting audit tools themselves.

Key Takeaways

  • Padding Evasion attacks are the new benchmark — WAFs must handle any request size to counter threats like React2Shell.
  • Metric balance is essential — Picking a WAF based solely on security or detection risks vulnerabilities or downtime.
  • Architecture drives outcomes — Only streaming analysis with machine learning delivers Full Coverage without performance hits.
  • Configuration matters — Testing products in different modes (e.g., open-appsec) shows settings hugely impact balanced accuracy.
  • Testing tools are more advanced — Modern platforms offer detailed reports for smart WAF selection and tuning.

— Editorial Team

Advertisement 728x90

Read Next