Web Application Firewalls are Vulnerable to JSON Bypass

Researchers from Claroty’s Team82 have “developed a generic bypass of industry-leading web application firewalls (WAF)… [that] involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.” The issue affects WAFs from Amazon Web Services, Cloudflare, F5, Imperva, and Palo Alto. All have updated their affected products to address the vulnerability.

Note

• The article title is misleading because it is more research than just a Generic Web Application Firewall Bypass in the article itself. The Bypass is really excellent, and the research is spot on. However, there is also research around vulnerabilities in software-defined networking controllers that is also fascinating, and you would never realize this by just looking at the article title.
• So, by obfuscating the SQL injection attack in JSON, the WAF didn’t detect them. The updates address this, so you need to deploy them, particularly as the information has now been published. This doesn’t mean the WAF wasn’t detecting and blocking other attacks, more like here is a new technique which needs to be added to your WAF’s arsenal. You still need defense in depth, make sure that your developers are sanitizing input, you are testing your applications regularly, and your testing includes testing without the WAF.

Read more in

• {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
• Popular WAFs Subverted by JSON Bypass
• Researchers Detail New Attack Method to Bypass Popular Web Application Firewalls