New attack method undermines common web application firewalls
by Tina Siering
What is the function of web application firewalls?
Web application firewalls (WAF) primarily protect web applications and APIs from widespread cross-site scripting and SQL injection attacks by filtering, monitoring and blocking malicious HTTP traffic. While such attacks are fairly easy to defend against, they should still be considered a serious threat. As such, they regularly appear in the OWASP (Open Web Application Security Project) Top 10 most critical security risks for web applications.
Web application firewalls can also protect cloud-based management platforms that monitor connected devices such as access points or routers. However, if WAF functions that scan and block traffic are bypassed by attackers, sensitive customer and business data can fall into the hands of cybercriminals. So, with IT processes increasingly migrating to cloud environments, WAF bypass can pose far-reaching risks to businesses.
How criminals bypass popular web application firewalls
Researchers at U.S.-based cybersecurity firm Claroty have developed an attack method that allowed them to bypass the web application firewalls of several industry-leading vendors. The method was discovered during independent research on a wireless device management platform from Cambium Networks.
Initially, the researchers found a Cambium SQL injection vulnerability that allowed them to exfiltrate user sessions, SSH keys, password hashes, tokens and verification codes. The experts were able to exploit the SQL injection vulnerability against the on-premises version, but hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF.
Then experts found that they could bypass the AWS WAF by appending JSON syntax to SQL injection payloads. JSON (JavaScript Object Notation) is a file and data format commonly used when exchanging data between a server and a web application. JSON support has been standard in SQL database engines for many years, but not in WAFs.
As Claroty reports, the JSON syntax makes it possible to create new SQLi payloads. Because these payloads are usually unknown, WAFs can't parse them. Thus, they fly under the radar of many security tools and thus remain undetected. The attack method was also able to bypass the firewalls of the following four providers: Cloudflare, F5, Imperva and Palo Alto Networks.
How to prevent bypassing web application firewalls
All five vendors mentioned have since confirmed the vulnerability and fixed it by adding support for JSON syntax to their products' SQL checking workflows. However, it is entirely possible that other vendors' products still lack JSON support.
Therefore, to prevent WAF circumvention, security experts strongly advise enterprises to check the JSON support of their cloud provider's WAF. In addition, you should make sure that the latest WAF version is always in use. Otherwise, attackers may gain access to your systems, access your backend database and exploit other vulnerabilities to exfiltrate data. OT and IoT platforms that use cloud-based monitoring and management systems are particularly at risk.
Conclusion
Many companies are outsourcing their IT applications to the cloud these days. This is not always safe: since the web application firewalls of some cloud providers do not support JSON syntax, the features of security tools can be easily bypassed. Cybercriminals then need only append the JSON syntax to SQL injection payloads to create new payloads that are not recognized by WAFs. As a result, malicious traffic goes undetected, leaving nothing in the way of data exfiltration. Therefore, check promptly whether your cloud provider's WAF is up to date and whether it supports JSON syntax.
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.