Researchers Detail New Attack Method to Bypass Popular Web Application Firewalls

Dec 10, 2022Ravie LakshmananWeb App Firewall / Web Security

A new attack method can be used to circumvent web application
firewalls (WAFs) of various vendors and infiltrate systems,
potentially enabling attackers to gain access to sensitive business
and customer information.

Web application firewalls are a key line of defense^[1]
to help filter, monitor, and block HTTP(S) traffic to and from a
web application, and safeguard against attacks such as cross-site
forgery, cross-site-scripting (XSS), file inclusion, and SQL
injection.

The generic bypass “involves appending JSON
syntax^[2] to SQL injection
payloads that a WAF is unable to parse,” Claroty researcher Noam
Moshe said^[3]. “Most WAFs will easily
detect SQLi attacks, but prepending JSON to SQL syntax left the WAF
blind to these attacks.”

The industrial and IoT cybersecurity company said its technique
successfully worked against WAFs from vendors like Amazon Web
Services (AWS), Cloudflare, F5, Imperva, and Palo Alto Networks,
all of whom have since released updates to support JSON syntax
during SQL injection inspection.

With WAFs acting as a security guardrail against malicious
external HTTP(S) traffic, an attacker with capabilities to get past
the barrier can obtain initial access to a target environment for
further post-exploitation.

The bypass mechanism devised by Claroty banks on the lack of
JSON support for WAFs to craft rogue SQL injection payloads that
include JSON syntax to skirt the protections.

“Attackers using this novel technique could access a backend
database and use additional vulnerabilities and exploits to
exfiltrate information via either direct access to the server or
over the cloud,” Moshe explained. “This is a dangerous bypass,
especially as more organizations continue to migrate more business
and functionality to the cloud.”