Experts devised a technique to bypass web application firewalls (WAF) of several vendors

Claroty researchers devised a technique for bypassing the web application firewalls (WAF) of several vendors.

Researchers at industrial and IoT cybersecurity firm Claroty devised an attack technique for bypassing the web application firewalls (WAF) of several industry-leading vendors.

The technique was discovered while conducting unrelated research on Cambium Networks’ wireless device management platform.

The researchers discovered a Cambium SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes.

The experts pointed out that they were able to exploit the SQL injection vulnerability against the on-premises version, while hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF.

Then the experts started investigating how to bypass the AWS WAF.

The researchers discovered that appending JSON syntax to SQL injection payloads allows bypassing the WAF because it is unable to parse it. 

“Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.” reads the report published by Claroty. “Using syntax from different database engines, we were able to compile the following list of true statements in SQL:

• PostgreSQL: ‘{“b”:2}’::jsonb <@ ‘{“a”:1, “b”:2}’::jsonb Is the left JSON contained in the right one? True.
• SQLite: ‘{“a”:2,”c”:[4,5,{“f”:7}]}’ -> ‘$.c[2].f’ = 7 Does the extracted value of this JSON equals 7? True.
• MySQL: JSON_EXTRACT(‘{“id”: 14, “name”: “Aztalan”}’, ‘$.name’) = ‘Aztalan’ Does the extracted value of this JSON equals to ‘Aztalan’? True.”

Claroty researchers used the JSON operator ‘@<’ to throw the WAF into a loop and supply malicious SQLi payloads.

The researchers verifies that the bypass attack technique also worked against firewalls from other vendors, including Cloudflare, F5, Imperva, and Palo Alto Networks.

“We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code.” the report concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WAF)

[adrotate banner=”5″]

[adrotate banner=”13″]