Five vendors act to thwart generic hack

JSON syntax hack allowed SQL injection payloads to get smuggled past web application firewalls

Security researchers have developed a technique that prevents web application firewalls (WAFs) from detecting SQL injection attacks.

Several leading vendors’ WAFs failed to support JSON syntax in their SQL injection inspection process, allowing security researchers from Claroty’s Team82 to “prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code”.

The hack, which was presented at Black Hat Europe, worked against WAFs from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva.

All five have updated their products to support JSON syntax in their SQL injection inspection process, clearing the way for Claroty to publish a technical blog post detailing its research.

Catch up with the latest security research news

Prior to recent security updates, attackers using the JSON-based hack would have been able to bypass the WAF’s protection in attempts to exfiltrate data or mount other potential attacks.

“Major WAF vendors lacked JSON support in their products, despite it being supported by most database engines for a decade,” Claroty notes.

“We believe that other vendors’ products may be affected, and that reviews for JSON support should be carried out.”

JSON is a standard file and data exchange format, often used to exchange data between a server and a web application.

The generic WAF bypass was covered by Team82 during the course of unrelated research (specifically into Cambium Networks’ wireless device management platform) that was being thwarted by a web application firewall.

IoT and OT processes that are monitored and managed from the cloud are most at risk from the issue, according to Claroty. “Organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts,” it advised.

The Daily Swig asked Claroty to clarify what classes of security tools might be vulnerable to this kind of exploit, among other questions. No word back as yet but we’ll update this story as and when more information comes to hand.

YOU MIGHT ALSO LIKE Go SAML library vulnerable to authentication bypass