AWS WAF and ModSecurity get ‘blinded by science’

A problem in database syntax parsers created a much bigger issue for web application firewalls

Security researchers have discovered that a historic vulnerability affecting both MySQL and MariaDB databases caused serious flaws for security technologies from AWS.

AWS Web Application Firewall (WAF) customers were left unprotected against SQL injection attacks that relied on a scientific notation bug first discovered in 2013, research from GoSecure has revealed.

The same, somewhat obscure flaw also affected customers of ModSecurity, an open-source WAF.

Catch up on the latest vulnerability-related news

The issue dates back to a Black Hat presentation from 2013, delivered by security researcher Roberto Salgado, that delved deep into various SQL injection techniques. The GoSecure team discovered that the aforementioned scientific notation bug, which was cited by Salgado, was far more powerful than first suspected.

The flaw allowed SQL syntax to remain valid even when it should have been deemed invalid, confusing security defenses such as WAFs in the process. Problems ensued when handling scientific notations, specifically the e notation (exponential), as explained in a detailed technical blog post from GoSecure.

The Montreal-based firm disclosed this WAF bypass bug to Amazon in August, receiving confirmation that it had been resolved at the start of October.

It was only at this time that GoSecure discovered the Libinjection component of ModSecurity was similarly vulnerable. After confirming that stricter lockdown settings (specifically the paranoia level 2 workaround in ModSecurity/libinjection) alleviated the problem, GoSecure went public with its findings.

Confusion bug

Amazon Web Services (AWS) offers a product called CloudFront that can be combined with AWS WAF with predefined rules. Tests by GoSecure showed that these rules might be circumvented by taking advantage of the scientific notation vulnerability in the underlying technology.

This flaw neither affects the data handling of MySQL or MariaDB, “nor did it let you escalate your privileges until we found the WAF bypass”, the researchers at GoSecure explain.

“The security implications of this issue are outside the control of MySQL and MariaDB,” according to GoSecure. “Any WAF or similar security products that would disregard SQL requests formed like this would be vulnerable.”

Problems arise for WAFs because what look like invalid requests become valid once the scientific notations are parsed by backend systems.

“If requests are malformed, it is natural that security products wouldn’t consider them valid SQL, thus making them unnecessary to block,” GoSecure concludes.

In response to a request to summarise their findings from The Daily Swig, GoSecure offered a concise explanation:

“There’s a problem in MySQL and MariaDB’s SQL syntax parsers that silently drops some characters in a SQL query. By abusing this we could bypass WAFs including Amazon's AWS WAF (that’s fixed) and can bypass ModSecurity (fixable via config change).”

YOU MAY ALSO LIKE Node.js was vulnerable to a novel HTTP request smuggling technique