Team82 researchers have disclosed an attack technique that bypasses industry-leading web application firewalls (WAFs) by appending JSON syntax to SQL injection payloads.
“An attacker able to bypass the traffic scanning and blocking capabilities of WAFs often has a direct line to sensitive business and customer information,” vulnerability researcher Noam Moshe wrote in a blog post detailing the threat. “Such bypasses, thankfully, have been infrequent, and one-offs targeting a particular vendor’s implementation.”
What Team82 disclosed, however, isn’t a one-off targeting a single vendor – it works against WAFs from Palo Alto Networks, F5, Amazon Web Services, Cloudflare, and Imperva. Check Point’s WAFs, Moshe noted, are not affected.
“Team82 disclosed its findings to five of the leading WAF vendors, all of which have added JSON syntax support to their products,” Moshe wrote. “We believe that other vendors’ products may be affected, and that reviews for JSON support should be carried out.”
Also read: How to Prevent SQL Injection Attacks
Blinded by JSON
The researchers used a WAF shortcoming against the firewalls: Lack of support for native JSON syntax.
“Our technique relies first on understanding how WAFs identify and flag SQL syntax as malicious, and then finding SQL syntax the WAF is blind to,” Moshe wrote. “This turned out to be JSON.”
While all major database engines support native JSON syntax, Moshe noted, that’s not true of most WAFs.
“Vendors have been slow to add JSON support, which allowed us to craft new SQL injection payloads that include JSON that bypassed the security WAFs provide,” he wrote.
An attacker could potentially leverage the technique to exfiltrate information from a database or to access cloud-based management systems for OT and IoT platforms.
“This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud,” Moshe wrote. “IoT and OT processes that are monitored and managed from the cloud may also be impacted by this issue, and organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts.”
Wallarm CEO Ivan Wallarm responded to the disclosure on Twitter by noting that he’d discovered something very similar back in 2017, when he observed that an attacker could bypass a WAF by “construct[ing] the payload in such a way that it will be well-formatted data like JSON and still a valid payload like SQL injection at the same time.” At the time, he suggested the same was also true of XML.
WAF Development Lagging
Approov vice president George McGregor told eSecurity Planet by email that exploits like these appear to indicate a lack of investment in core WAF functionality by key players.
“That wouldn’t surprise me since the WAF approach is really a hangover from a previous era when app code and data were in backend servers and in theory at least, requests could be blocked there,” he said.
“The real issue is that with the shift of app logic and data to mobile apps, WAFs and backend security solutions struggle to get visibility to what’s going on in the client device and apps can be weaponized to attack APIs,” McGregor added.
Read next: Top Database Security Solutions
