Virtual Event Now Live: Cloud Security Summit | July 17 - Access Livestream
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

WAFs of Several Major Vendors Bypassed With Generic Attack Method

Researchers at industrial and IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.

Researchers at industrial and IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.

Claroty’s researchers discovered the method following an analysis of Cambium Networks’ wireless device management platform. They discovered a SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes.

Exploitation of the flaw worked against the on-premises version, but an attempt to exploit it against the cloud version was blocked by the Amazon Web Services (AWS) WAF, which flagged the SQL injection payload as malicious.

Further analysis revealed that the WAF could be bypassed by abusing the JSON data sharing format. JSON syntax is supported by all major SQL engines and it’s enabled by default.

Claroty researchers used a JSON syntax to craft a new SQL injection payload that would bypass the WAF — because the WAF did not understand it — while still being valid for the database engine to parse. They achieved this by using the JSON operator ‘@<’, which threw the WAF into a loop and allowed the payload to pass to the targeted database.

After they verified the bypass method against the AWS WAF, the researchers checked if it would work against firewalls from other vendors as well. They successfully reproduced the bypass — with few or no changes to the payload — against products from Palo Alto Networks, Cloudflare, F5, and Imperva.WAF bypass

In order to demonstrate the risks associated with this attack in the real world, Claroty added support for the technique to the SQLMap open source exploitation tool.

“We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code,” the security firm explained.

In response to the research, all of the impacted vendors added JSON syntax support to their products, but Claroty believes other WAFs could be impacted as well.

Advertisement. Scroll to continue reading.

“Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud,” Claroty said. “This is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems. WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems.”

Related: Cisco Secure Email Gateway Filters Bypassed Due to Malware Scanner Issue

Related: Fortinet Customers Told to Urgently Patch Remotely Exploitable Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

CISA has appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement.

Anirban Sengupta has been named the CTO and SVP of Engineering of cloud networking and security firm Aviatrix.

Axonius has named Nick Degnan as its first Chief Revenue Officer and Rob Casselman as its first Chief Customer Officer.

More People On The Move

Expert Insights