Web application firewalls are a crucial line of defense keeping databases and their contents at arm’s length from threat actors. A bypass of these security tools could put business and customer information in the hands of hackers, and impact business from a financial and regulatory perspective.
In this episode of the Aperture Podcast, Team82 researcher Noam Moshe joins to discuss his recent research and development of a generic bypass of leading vendors’ web application firewalls.
The attack technique exploits the vendors’ previous lack of support for JSON syntax in their SQL injection processes. WAFs were previously blind to JSON syntax prepended to a SQL injection payload and would not flag these as malicious.
Team82’s research identified five affected vendors: Amazon Web Services, Palo Alto Networks, F5, Cloudflare, and Imperva. Each of the vendors’ WAF products now support JSON syntax, and have negated the impact of this technique.
“What makes this bypass so rare is that we were able to find the generic bypass. Meaning, I don’t care what is between me and the application, I simply bypass almost any WAF between me and it,” Moshe said. “There have been WAF bypasses in the past, however, I don’t know of a generic one working on all major vendors.”
Moshe explained how Team82 came upon this technique almost by accident during an unrelated research project, and why vendors were lagging in adding JSON support in WAF inspection processes.
“We arrived at JSON because it is implemented in all databases by default, so it was a good candidate,” he said. “We tried a few others, but JSON was the one that simply worked out of the box.”