Researchers from Claroty, a cybersecurity company specializing in securing the internet of things (IoT), developed a bypass mechanism for top web application firewalls (WAF). The attack technique involves inserting JSON syntax to SQL injection payloads that a WAF cannot parse. The bypass worked against top WAF solutions by five vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva.
All five companies have been notified by Team82 Research, the research division of Claroty, to properly mitigate the bypass technique.
Researchers concluded that executing the WAF bypass would allow attackers to use additional vulnerabilities for data exfiltration from the target.
The bypass technique relies on JSON and the ability for the application in use to work with the requested data immediately. JSON is one of the most predominant forms of data storage and transfer with SQL.
By using JSON in SQL, and application can fetch data, combine multiple data sources internal to a database, modify data and transform it into JSON format all within the SQL API.
All major relational databases support native JSON syntax, including MySQL, PostgreSQL, SQLite, and MySQL. However, even though these databases support JSON, not all security tools added support for JSON.
This lack of support in security tools could cause SQL syntax misidentification, according to Team82 researchers.
Despite the five vendors mentioned above, Team82 believes other vendors in the market are still vulnerable to this WAF bypass mechanism.
Team82 recommends all organizations ensure that they’re running updated versions of the security tools in their environment to block these bypass attempts.