Claroty’s Team82 develops generic bypass of WAF, calls for review of JSON support across organizations

Claroty’s Team82 develops generic bypass of WAF, calls for review of JSON support across organizations

Claroty’s Team82 researchers announced Thursday the development of a generic bypass of web application firewalls (WAF). Attackers using this technique would be able to bypass the WAF’s protection and use additional vulnerabilities to exfiltrate data. The bypass was found to work against WAFs sold by five vendors, including Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five vendors have been notified and have updated their products to support JSON syntax in their SQL injection inspection process.

Apart from these identified vendors, Claroty believes that other vendors’ products may be affected and that reviews for JSON support should be carried out across organizations. “This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud,” Noam Moshe, vulnerability researcher at Claroty, wrote in a company blog post. “IoT and OT processes that are monitored and managed from the cloud may also be impacted by this issue, and organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts.”

Moshe said that the attack technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse. “Major WAF vendors lacked JSON support in their products, despite it being supported by most database engines for a decade. Most WAFs will easily detect SQLi attacks, but prepending JSON to SQL syntax left the WAF blind to these attacks,” he added.

Claroty relied on understanding how WAFs identify and flag SQL syntax as malicious, and then finding SQL syntax the WAF is blind to. “This turned out to be JSON. JSON is a standard file and data exchange format, and is commonly used when data is sent from a server to a web application,” according to Moshe. 

“JSON support was introduced in SQL databases going back almost 10 years. Modern database engines today support JSON syntax by default, basic searches and modifications, as well as a range of JSON functions and operators,” Moshe wrote. “While JSON support is the norm among database engines, the same cannot be said for WAFs. Vendors have been slow to add JSON support, which allowed us to craft new SQL injection payloads that include JSON that bypassed the security WAFs provide. Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud. 

Pointing out that this is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems, Moshe added that WAFs offer a promise of additional security from the cloud – an attacker able to bypass these protections has expansive access to systems.

Claroty began developing the technique began last year during unrelated research on Cambium Networks’ wireless device management platform, including its cnMaestro wireless network manager that is sold either on-premises or in the cloud. “One particular Cambium vulnerability we discovered proved more difficult to exploit: CVE-2022-1361,” Moshe wrote. “At the core of the vulnerability is a simple SQL injection vulnerability, however the actual exploitation process required us to think outside the box and create a whole new SQL technique. Using this vulnerability, we were able to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes,” he added.

The core issue of the vulnerability was that in this particular case, the developers did not use a prepared statement to append user-supplied data to a query, Moshe disclosed. “Instead of using a safe method of appending user parameters into an SQL query and sanitizing the input, they simply appended it to the query directly.”

Moshe said that the goal using the vulnerability was to exfiltrate sensitive data stored in the database. However, while this seemed simple enough, after a quick analysis of the vulnerability the team realized it had three key weaknesses/limitations. These include ability to only retrieve integers as the returned rows, returned rows are returned in random order, and ability to only return a limited number of rows in each request.

Moving on to research the AWS WAF, Moshe said that “we first created our own setup where we control all moving parts: the application, the client and the WAF settings and logs. We created a simple machine on the AWS cloud, and set up the AWS WAF to protect the application from malicious requests (we set up the WAF). Then, we created a web application with an SQLi vulnerability, and hosted it on AWS. Lastly, we started sending hundreds of specially crafted requests to try and analyze how the WAF flags requests as malicious.”

From their understanding of how a WAF could flag requests as malicious, Claroty “reached the conclusion that we need to find SQL syntax the WAF will not understand. If we could supply a SQLi payload that the WAF will not recognize as valid SQL, but the database engine will parse it, we could actually achieve the bypass.”

As it turns out, JSON was exactly this mismatch between the WAF’s parser and the database engine, Moshe said. “When we passed valid SQL statements that used less prevalent JSON syntax, the WAF actually did not flag the request as malicious.”

After demonstrating the bypass over AWS WAF, Claroty understood that the core issue of this bypass was a lack of conformance between the database engines and SQLi detection solutions; this is because JSON in SQL is not such a popular and well-known feature, and its syntax was not added to the WAF parser. “However we thought that maybe this issue is not relevant for this WAF vendor alone, maybe other vendors have not added support for JSON syntax as well. So we took our vulnerable web application, and created a setup on most major WAF vendors.” 

The team then discovered that JSON syntax could be used to bypass most vendors, including Palo Alto next-generation firewall, F5 Big-IP, Amazon AWS ELB, Cloudflare, and Imperva. “The fact we managed to bypass so many big WAF products, with limited if any changes to our payload meant we had a generic WAF bypass on our hands. This means that even without knowing exactly what WAF lies between us and our target, we can still exploit a SQL injection vulnerability, bypassing the WAF’s protection,” Moshe wrote.

To demonstrate how big the WAF bypass is, Claroty chose to add support for JSON syntax evasion techniques to the biggest open-source exploitation tool, SQLMap. Moshe said that SQLMap offers an automatic process of SQL injection exploitation, allowing users to scan entire sites for a vulnerability. After SQLMap identifies a SQL vulnerability, it offers the ability to both fingerprint the vulnerability type and identify an exploitation technique best suited to this specific vulnerability. 

“After correctly choosing the technique to exploit the vulnerability, SQLMap even offers users the ability to automatically dump information stored in the database, enumerate tables and databases, exfiltrate password hashes, and perform a few post-exploitation techniques,” according to Moshe. “While SQLMap offers some WAF evasion techniques, we found that it is still easily identified by most modern WAFs, meaning that users cannot use it in cases where a WAF is present.”

Moshe said that the goal was to bring this new technique into SQLMap, and to use JSON syntax in order to bypass WAFs. “In order to do so, we injected payloads generated by SQLMap, adding randomly generated JSON syntax. Since every database engine implemented a different set of JSON functions and operators, we implemented a separate script for each database engine. Using our addition to SQLMap, we were able to bypass a well-known WAF and successfully exploit a vulnerable web application,” he added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related