Claroty security researchers have discovered ways to bypass Web Application Firewalls (WAF). A lack of JSON support allows attacks on potentially all providers. The providers Palo Alto Networks, Amazon Web Services, Cloudflare, F5 and Imperva have meanwhile updated their products.
Security researchers from Team82, the research arm of cyber-physical systems (CPS) security specialists Claroty, have identified the possibility of a basic bypass of industry-leading web application firewalls (WAF). The attack technique involves appending JSON syntax to SQL injection payloads.
Leading WAF providers have already responded
Although most database engines have supported JSON for a decade, numerous WAF vendors have not built JSON support into their products. Likewise, the WAF is blind to attacks that prepend JSON to SQL syntax. The method worked on WAFs from five leading providers: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five have now updated their products to support JSON syntax in their SQL injection inspection process. However, there is a risk that the technology used in other WAFs represents a serious vulnerability that attackers can use to gain access to sensitive business and customer data.
Background on web application firewalls
Web application firewalls (WAF) are designed to protect web-based applications and APIs from malicious external HTTP traffic, particularly cross-site scripting and SQL injection attacks. Although these are known and relatively easy to fix, they still pose a threat and thus repeatedly make it into the OWASP Top 10 of the most important vulnerabilities.
WAFs are also increasingly used to protect cloud-based management platforms that monitor connected devices such as routers and access points. Attackers who are able to bypass WAF traffic scanning and blocking capabilities often have direct access to sensitive business and customer data in this way. However, WAF bypasses are relatively rare and typically target a specific vendor's implementation.
Lack of JSON support allows SQL injection attacks
Team82 has discovered an attack technique that represents the first generic evasion of multiple web application firewalls from industry-leading vendors (Palo Alto, F5, Amazon Web Services, Cloudflare, and Imperva). All affected vendors have acknowledged Team82's disclosure and implemented bug fixes that add support for JSON syntax to their products' SQL validation processes.
WAFs are designed to provide additional security from the cloud. However, if attackers are able to circumvent these protection mechanisms, they have far-reaching access to the systems. With the new technology, attackers can access a backend database and use additional vulnerabilities and exploits to exfiltrate information either via direct access to the server or via the cloud. This is especially important for OT and IoT platforms that have migrated to cloud-based management and monitoring systems.
Further information, background and above all more technical details can be found in the corresponding blog post by Claroty.
More at Claroty.com
About Claroty Claroty, the Industrial Cybersecurity Company, helps its global customers discover, protect and manage their OT, IoT and IIoT assets. The company's comprehensive platform can be seamlessly integrated into customers' existing infrastructure and processes and offers a wide range of industrial cybersecurity controls for transparency, threat detection, risk and vulnerability management and secure remote access - with significantly reduced total cost of ownership.