Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->

Transforming SQL Queries Bypasses WAF Security

A team of university researchers finds a machine learning-based approach to generating HTTP requests that slip past Web application firewalls.

BLACK HAT ASIA 2022 -- A team of university researchers used basic machine learning to identify patterns that common Web application firewalls (WAFs) fail to detect as malicious, but which can still deliver an attacker's payload, one of the researchers said in a presentation at the Black Hat Asia security conference in Singapore on Thursday.

The researchers from Zhejiang University in China started with common ways of transforming injection attacks to target Web-application databases using the common Structured Query Language (SQL). Rather than using a brute-force search of potential bypasses, the team created a tool, AutoSpear, that uses a pool of potential bypasses that can be combined using a weighted mutation strategy and then tested to determine the effectiveness of the bypasses at evading the security of WAF-as-a-service offerings.

The tool successfully bypassed -- as measured by a false negative rate -- all seven of the tested cloud-based WAFs with a variety of success, from a low of 3% for ModSecurity to a high of 63% for Amazon Web Services' and Cloudflare's WAFs, said Zhenqing Qu, a Zhejiang University graduate student and member of the AutoSpear team.

"The case studies have shown the potential [of the tool], because detection signatures were not robust due to various vulnerabilities," he said. "Just adding comments or whitespace can bypass some WAFs, but the most effective mutation depends on specific WAFs."

Web application firewalls are a common way to defend important cloud software and Web services from attack, filtering out common application attacks and attempts at injecting database commands, also known as SQL injection (SQLi). A 2020 study, for example, found that 4 in 10 security professionals believed that 50% of application-layer attacks that targeted their cloud application bypassed their WAF. Other attacks focus on compromising the WAF through its inspection of traffic.

In their presentation, the team from Zhejiang University focused on ways of transforming requests using 10 different techniques for the four common request methods: POST and GET requests, either using JSON encoding or not. The researchers found that the four different types of requests were treated the same by four different WAF vendors, while others approached the inputs differently.

By systematically mutating the requests with different combinations of the 10 techniques -- such as inline comments, substituting whitespace, and substituting the common tautologies (that is, "1=1") for others (such as, "2<3") -- the researchers found a set of transformations that performed best against each of the seven different WAFs.

"[C]ombining multiple mutation methods, AutoSpear is much more effective in bypassing mainstream WAF-as-a-service solutions due to their vulnerable detection signatures for semantic matching and regular expression matching," the researchers stated in their presentation slides.

SQL injection attacks continue to be a major risk for many companies. The OWASP Top-10 Web Security Risks rated the Injection class of vulnerabilities at the top of its list of risks in 2013 and 2017, and as the No. 3 risk in 2021. The list, released approximately every four years, uses more than 400 broad classes of weaknesses to determine the most significant threats for web applications.

The research team started with creating Web applications that had specific vulnerabilities, and then used its approach to transforms the known exploits into a unique request that the WAF would not catch.

Bypassing Web application firewalls typically focus on three broad approaches. At the architectural level, attackers can find ways to circumvent the WAF and directly access the origin server. At the protocol level, a variety of techniques can use errors or mismatches in encoding assumptions, such as HTTP request smuggling, to bypass WAFs. Finally, at the payload level, attackers can use a variety of encoding transformation to fool the WAF into failing to detect an attack, while still producing a valid request from the standpoint of the database server.

The transformations allowed the attacks to be successful anywhere from 9% of the time to nearly 100% of the time, depending on the WAF and the request format, the team stated in their presentation. In one case, the researcher found that just adding a newline character, "/n", bypassed a major WAF-as-a-service.

AWS, Cloudflare Affected
The research team reported the vulnerabilities to all seven WAF providers: AWS, Cloudflare, CSC, F5, Fortinet, ModSecurity, and Wallarm. Cloudflare, F5, and Wallarm have fixed their issues, Zhenqing said. The team also provided the vendors with bypass patterns that can be used to detect the most common types of transformations.

"The other four are still working with us, since the flaws cannot be easily patched," he said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-12-09
There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.
PUBLISHED: 2022-12-09
A network misconfiguration is present in versions prior to of the NETGEAR RAX30 AX2400 series of routers. IPv6 is enabled for the WAN interface by default on these devices. While there are firewall restrictions in place that define access restrictions for IPv4 traffic, these restrictions do...
PUBLISHED: 2022-12-09
Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.
PUBLISHED: 2022-12-09
IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID...
PUBLISHED: 2022-12-09
The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.