Akamai issued an update to resolve the flaw several months ago

Akamai WAF bypassed via Spring Boot to trigger RCE

UPDATED A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

Akamai’s WAF, which was patched several months ago, has been designed to mitigate the risk of Distributed Denial-of-Service (DDoS) attacks and uses adaptive technologies to block known web security threats.

Security researcher Peter M, who also goes by the pseudonym ‘pmnh’, said the attack used Spring Expression Language (SpEL) injection.

The bug bounty hunter found the bypass with the assistance of Synack pentester Usman Mansha during an engagement with a private Bugcrowd program.

Server-side template injection

A server-side template injection (SSTI) is at the core of the bypass, a technical write-up by Peter M reveals. Vulnerable versions of Spring Boot throw up error messages in a SpEL expression with whitelabel error pages, they explained. When a vulnerable framework is used, this injection is evaluated server-side – opening a potential pathway for abuse.

Akamai’s WAF blocked the SSTI during testing. However, the team persisted in looking for ways of utilizing SpEL to invoke an operating system command – likely via Java.

RELATED JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs

The most obvious route was to find a way to the java.lang.Runtime class, starting with SpEL reference ${T(java.lang.Runtime)}, but this was blocked by Akamai’s software.

“I suspected this would not work, but when trying to work around a WAF it’s really important to build up from small things that you know work, to larger and more complex payloads,” the researcher said.

The next stage was finding a reference to an arbitrary class, which Peter M said would allow “direct method invocation or reflection-based invocation to get at the method we want”.

Peter M and Mansha used a reflection method to obtain access to Class.forName, built an arbitrary String with the java.lang.Runtime value, accessed the java.lang.Runtime.getRuntime method, and created another string to access java.lang.Runtime – thus enabling development of a workable RCE payload.

The final payload was under 3kb and was accepted by the server as a GET request.

Elusive entry point

However, bypassing the WAF was by no means an easy task. Peter M noted it took approximately 500 crafted attempts and over 14 hours to find an entry point.

The researcher declined to supply a final payload in a text format to prevent blind copycats.

“In this case, deep knowledge of Java and SpEL capabilities was required to construct a payload that would both bypass the Akamai WAF as well as work in the context where it was executing,” they noted.

Akamai response

When approached for comment, Akamai told The Daily Swig that the bypass was only possible as the researchers used an old version of the Akamai WAF protection engine.

A patch was issued on July 25, 2022. As a result, customers running the latest engine version are not at risk of exploitation.

Read more of the latest web application firewall news

Akamai said: “Akamai is aware of the findings of a security researcher who has claimed to have bypassed Akamai’s WAF. This issue was discovered and an update was issued several months prior to this blog post being published.

“The Akamai Threat Research team is always on the lookout for new attack types and works to proactively update protections on a regular basis. Akamai recommends that all customers ensure that Adaptive Security Engine, the protection engine that powers Akamai WAF, is up to date, ideally via automatic updates.”

Peter M told The Daily Swig: “This bug was filed on a private program in Bugcrowd and was fixed in about three weeks.”

This article has been updated to include further comment.

DON’T MISS Black Hat Europe 2022: Hacking tools showcased at annual security conference