Experts created a technique to bypass web application firewalls (WAF) of several major vendors

Claroty researchers devised a technique for bypassing several vendors’ web application firewalls (WAF).
Researchers at industrial and IoT cybersecurity firm Claroty devised an attack technique for bypassing several industry-leading vendors’ web application firewalls (WAF).

The technique was discovered while conducting unrelated research on Cambium Networks’ wireless device management platform.

The researchers discovered a Cambium SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes.

The experts pointed out that they could exploit the SQL injection vulnerability against the on-premises version while hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF.

Then the experts started investigating how to bypass the AWS WAF.
The researchers discovered that appending JSON syntax to SQL injection payloads allows bypassing the WAF because it cannot parse it.

Using JSON syntax, it is possible to craft new SQLi payloads. Since they are not commonly known, these payloads could be used to fly under the radar and bypass many security tools. . Using syntax from different database engines, the researchers were able to compile the following list of true statements in SQL:

  • PostgreSQL: ‘{“b”:2}’::jsonb <@ ‘{“a”:1, “b”:2}’::jsonb Is the left JSON contained in the right one? True.
  • SQLite: ‘{“a”:2,”c”:[4,5,{“f”:7}]}’ -> ‘$.c[2].f’ = 7 Does the extracted value of this JSON equals 7? True.
  • MySQL: JSON_EXTRACT(‘{“id”: 14, “name”: “Aztalan”}’, ‘$.name’) = ‘Aztalan’ Does the extracted value of this JSON equals to ‘Aztalan’? True.”

Claroty researchers used the JSON operator ‘@<’ to throw the WAF into a loop and supply malicious SQLi payloads.

The researchers verified that the bypass attack technique also worked against firewalls from other vendors, including Cloudflare, F5, Imperva, and Palo Alto Networks.

It was discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code.

Source: Security Affairs, Claroty