Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

WAFs of Several Major Vendors Bypassed With Generic Attack Method

Researchers at industrial and IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.

Researchers at industrial and IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.

Claroty’s researchers discovered the method following an analysis of Cambium Networks’ wireless device management platform. They discovered a SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes.

Exploitation of the flaw worked against the on-premises version, but an attempt to exploit it against the cloud version was blocked by the Amazon Web Services (AWS) WAF, which flagged the SQL injection payload as malicious.

Further analysis revealed that the WAF could be bypassed by abusing the JSON data sharing format. JSON syntax is supported by all major SQL engines and it’s enabled by default.

Claroty researchers used a JSON syntax to craft a new SQL injection payload that would bypass the WAF — because the WAF did not understand it — while still being valid for the database engine to parse. They achieved this by using the JSON operator ‘@<’, which threw the WAF into a loop and allowed the payload to pass to the targeted database.

After they verified the bypass method against the AWS WAF, the researchers checked if it would work against firewalls from other vendors as well. They successfully reproduced the bypass — with few or no changes to the payload — against products from Palo Alto Networks, Cloudflare, F5, and Imperva.WAF bypass

In order to demonstrate the risks associated with this attack in the real world, Claroty added support for the technique to the SQLMap open source exploitation tool.

“We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code,” the security firm explained.

In response to the research, all of the impacted vendors added JSON syntax support to their products, but Claroty believes other WAFs could be impacted as well.

“Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud,” Claroty said. “This is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems. WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems.”

Related: Cisco Secure Email Gateway Filters Bypassed Due to Malware Scanner Issue

Related: Fortinet Customers Told to Urgently Patch Remotely Exploitable Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.