Popular WAFs Subverted by JSON Bypass

Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format.

3 Min Read
SQL injection hides in JSON
Source: Marina Vonotna via Alamy

Web application firewalls (WAFs) from five major vendors are vulnerable to malicious requests that use the popular JavaScript Object Notation (JSON) to obfuscate database commands and escape detection.

That's according to application-security firm Claroty, whose researchers have found that WAFs produced by Amazon Web Services, Cloudflare, F5, Imperva, and Palo Alto fail to identify malicious SQL commands coded in the JSON format, allowing the forwarding of malicious requests to the back-end database. The research uncovered a fundamental mismatch: Major SQL databases understand commands written in JSON, while WAFs do not.

The technique allows attackers to access and, in some cases, change data as well as compromise the application, says Noam Moshe, a security researcher with Claroty's Team82 research team.

"By bypassing WAF protection, attackers can exploit other vulnerabilities in web applications and potentially take over said applications," he tells Dark Reading. "This is even more relevant in cloud-hosted applications, where many WAFs are deployed by default."

Web application firewalls are a critical layer to protect against application attacks, and often are used to give developers a bit more breathing room from nefarious types trying to exploit coding errors. While they are often relied on as a security crutch by many companies, WAFs are far from perfect and researchers and attackers have found many ways to bypass them. 

In a 2020 survey, for example, four in 10 security professionals claimed that at least half of application attacks had bypassed the WAF. In more recent research released in May, a team of academic researchers from Zhejiang University in China used a variety of methods of obfuscating injection attacks on databases, finding that — among other techniques — JSON could help hide the attacks from cloud-based WAFs.

"Detection signatures were not robust due to various vulnerabilities," the researchers said at the time. "Just adding comments or whitespace can bypass some WAFs, but the most effective mutation depends on specific WAFs."

WAFs Don't "Get" JSON

The researchers' first inkling of a potential attack came from unrelated experiments probing the Cambium Networks' wireless device management platform. The developers of that platform appended user-supplied data directly to the end of a query, a technique that convinced Claroty to investigate a more general application.

In the end, the researchers found they could append legitimate JSON queries to benign SQL code, allowing them to bypass the ability of WAFs to detect injection attacks, and giving attackers the ability to gain direct access to back-end databases, Claroty's research showed.

The technique worked against most major relational databases, including PostgreSQL, Microsoft’s MSSQL, MySQL, and SQLite. While the company had to overcome three technical limitations — such as initially only being able to retrieve numbers and not strings of characters — the researchers eventually created a general-purpose bypass for major Web application firewalls.

"After we bypassed all three limitations, we were left with a big payload allowing us to extract any data we chose," the researchers wrote in Claroty's advisory. "And indeed, when we used this payload we managed to exfiltrate sensitive information stored in the database ranging from session cookies to tokens, SSH keys and hashed passwords."

Obfuscate to Escape

Obfuscating malicious code to bypass anti-injection security measures has a long history. In 2013, for example, attackers began exploiting a vulnerability in the Ruby on Rails framework that allowed JSON code to be used to bypass authentication and inject SQL commands into a web application.

Companies should upgrade their WAFs solutions to gain the advantage of the latest fixes, Moshe says. The security researcher also stressed the companies should have extra security in place to catch future bypass techniques.

"It is important to not use a WAF solution as your sole line of defense," he says. "Instead, it is recommended to secure your applications using many security mechanisms, like limiting access to your application [and] enabling security features."

The researchers notified all five vendors of the vulnerable WAFs, each of which confirmed the issue and have since added JSON syntax support to their products, Claroty stated in its advisory.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights