Experts developed a method to bypass multiple companies’ web application firewalls (WAF)

Researchers at the industrial and IoT cybersecurity company Claroty developed an attack method for getting past the web application firewalls (WAF) of a number of top manufacturers

The method was found while working on the wireless device management platform of Cambium Networks for unrelated research.

A Cambium SQL injection flaw was found by the researchers, who then leveraged it to steal user sessions, SSH keys, password hashes, tokens, and verification codes.

The experts noted that while attempts to hack the cloud version were thwarted by the Amazon Web Services (AWS) WAF, they were successful in exploiting the SQL injection vulnerability against the on-premises version.

The specialists then began looking into ways to get around the AWS WAF.
The researchers found that because the WAF cannot parse JSON syntax, it is possible to get around it by attaching it to SQL injection payloads.

“Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.” reads the report published by Claroty. “Using syntax from different database engines, we were able to compile the following list of true statements in SQL:

• PostgreSQL: ‘{“b”:2}’::jsonb <@ ‘{“a”:1, “b”:2}’::jsonb Is the left JSON contained in the right one? True.
• SQLite: ‘{“a”:2,”c”:[4,5,{“f”:7}]}’ -> ‘$.c[2].f’ = 7 Does the extracted value of this JSON equals 7? True.
• MySQL: JSON_EXTRACT(‘{“id”: 14, “name”: “Aztalan”}’, ‘$.name’) = ‘Aztalan’ Does the extracted value of this JSON equals to ‘Aztalan’? True.”

Claroty researchers used the JSON operator ‘@<’ to throw the WAF into a loop and supply malicious SQLi payloads.

The researchers verifies that the bypass attack technique also worked against firewalls from other vendors, including Cloudflare, F5, Imperva, and Palo Alto Networks.

“We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code.” the report concludes.

Suggest an edit to this article

Cybersecurity Knowledge Base

Homepage

Remember, CyberSecurity Starts With You!

• Globally, 30,000 websites are hacked daily.
• 64% of companies worldwide have experienced at least one form of a cyber attack.
• There were 20M breached records in March 2021.
• In 2020, ransomware cases grew by 150%.
• Email is responsible for around 94% of all malware.
• Every 39 seconds, there is a new attack somewhere on the web.
• An average of around 24,000 malicious mobile apps are blocked daily on the internet.