Claroty’s Team82 develops generic bypass of WAF, calls for review of JSON support across organizations

Claroty’s Team82 researchers announced Thursday the development of a generic bypass of web application firewalls (WAF). Attackers using this technique would be able to bypass the WAF’s protection and use additional vulnerabilities to exfiltrate data. The bypass was found to work against WAFs sold by five vendors, including Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five vendors have been notified and have updated their products to support JSON syntax in their SQL injection inspection process.

Apart from these identified vendors, Claroty believes that other vendors’ products may be affected and that reviews for JSON support should be carried out across organizations. “This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud,” Noam Moshe, vulnerability researcher at Claroty, wrote in a company blog post. “IoT and OT processes that are monitored and managed from the cloud may also be impacted by this issue, and organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts.”

Moshe said that the attack technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse. “Major WAF vendors lacked JSON support in their products, despite it being supported by most database engines for a decade. Most WAFs will easily detect SQLi attacks, but prepending JSON to SQL syntax left the WAF blind to these attacks,” he added.

Claroty relied on understanding how WAFs identify and flag SQL syntax as malicious, and

Read more

Explore the site

More from the blog

Latest News