New attack method undermines common web application firewalls
by Tina Siering
What is the function of web application firewalls?
Web application firewalls (WAF) primarily protect web applications and APIs from widespread cross-site scripting and SQL injection attacks by filtering, monitoring and blocking malicious HTTP traffic. While such attacks are fairly easy to defend against, they should still be considered a serious threat. As such, they regularly appear in the OWASP (Open Web Application Security Project) Top 10 most critical security risks for web applications.
Web application firewalls can also protect cloud-based management platforms that monitor connected devices such as access points or routers. However, if WAF functions that scan and block traffic are bypassed by attackers, sensitive customer and business data can fall into the hands of cybercriminals. So, with IT processes increasingly migrating to cloud environments, WAF bypass can pose far-reaching risks to businesses.
How criminals bypass popular web application firewalls
Researchers at U.S.-based cybersecurity firm Claroty have developed an attack method that allowed them to bypass the web application firewalls of several industry-leading vendors. The method was discovered during independent research on a wireless device management platform from Cambium Networks.
Initially, the researchers found a Cambium SQL injection vulnerability that allowed them to exfiltrate user sessions, SSH keys, password hashes, tokens and verification codes. The experts were able to exploit the SQL injection vulnerability against the on-premises version, but hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF.
As Claroty reports, the JSON syntax makes it possible to create new SQLi payloads. Because these payloads are usually unknown, WAFs can't parse them. Thus, they fly under the radar of many security tools and thus remain undetected. The attack method was also able to bypass the firewalls of the following four providers: Cloudflare, F5, Imperva and Palo Alto Networks.
How to prevent bypassing web application firewalls
All five vendors mentioned have since confirmed the vulnerability and fixed it by adding support for JSON syntax to their products' SQL checking workflows. However, it is entirely possible that other vendors' products still lack JSON support.
Therefore, to prevent WAF circumvention, security experts strongly advise enterprises to check the JSON support of their cloud provider's WAF. In addition, you should make sure that the latest WAF version is always in use. Otherwise, attackers may gain access to your systems, access your backend database and exploit other vulnerabilities to exfiltrate data. OT and IoT platforms that use cloud-based monitoring and management systems are particularly at risk.
Many companies are outsourcing their IT applications to the cloud these days. This is not always safe: since the web application firewalls of some cloud providers do not support JSON syntax, the features of security tools can be easily bypassed. Cybercriminals then need only append the JSON syntax to SQL injection payloads to create new payloads that are not recognized by WAFs. As a result, malicious traffic goes undetected, leaving nothing in the way of data exfiltration. Therefore, check promptly whether your cloud provider's WAF is up to date and whether it supports JSON syntax.