Researchers Detail New Attack Method to Bypass Popular Web Application Firewalls


Dec 10, 2022Ravie LakshmananWeb App Firewall / Web Security

A new attack method can be used to circumvent web application firewalls (WAFs) of various vendors and infiltrate systems, potentially enabling attackers to gain access to sensitive business and customer information.

Web application firewalls are a key line of defense to help filter, monitor, and block HTTP(S) traffic to and from a web application, and safeguard against attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection.


The generic bypass “involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse,” Claroty researcher Noam Moshe said. “Most WAFs will easily detect SQLi attacks, but prepending JSON to SQL syntax left the WAF blind to these attacks.”

The industrial and IoT cybersecurity company said its technique successfully worked against WAFs from vendors like Amazon Web Services (AWS), Cloudflare, F5, Imperva, and Palo Alto Networks, all of whom have since released updates to support JSON syntax during SQL injection inspection.

Web Application Firewalls

With WAFs acting as a security guardrail against malicious external HTTP(S) traffic, an attacker with capabilities to get past the barrier can obtain initial access to a target environment for further post-exploitation.

The bypass mechanism devised by Claroty banks on the lack of JSON support for WAFs to craft rogue SQL injection payloads that include JSON syntax to skirt the protections.

“Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud,” Moshe explained. “This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Should ransomware payments be banned? – Week in security with Tony Anscombe
Australian Defence Force Private and Husband Charged with Espionage for Russia
‘Konfety’ Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins
Understanding IoT security risks and how to mitigate them | Cybersecurity podcast
5 common Ticketmaster scams: How fraudsters steal the show

Leave a Reply

Your email address will not be published. Required fields are marked *