Researchers at industrial and IoT cybersecurity firm Claroty have identified a generic method for bypassing the web application firewalls (WAFs) of several major vendors.
Claroty’s researchers discovered the method following an analysis of Cambium Networks’ wireless device management platform. They discovered a SQL injection vulnerability that could be used to obtain sensitive information, such as session cookies, tokens, SSH keys and password hashes.
Exploitation of the flaw worked against the on-premises version, but an attempt to exploit it against the cloud version was blocked by the Amazon Web Services (AWS) WAF, which flagged the SQL injection payload as malicious.
Further analysis revealed that the
WAF could be bypassed by abusing the JSON data sharing format. JSON syntax is supported by all major SQL engines and it’s enabled by default.
Claroty researchers used a JSON syntax to craft a new SQL injection payload that would bypass the WAF — because the WAF did not understand it — while still being valid for the database engine to parse. They achieved this by using the JSON operator ‘@<’, which threw the WAF into a loop and allowed the payload to pass to the targeted database.
After they verified the bypass method against the AWS WAF, the researchers checked if it would work against firewalls from other vendors as well. They successfully reproduced the bypass — with few or no changes to the payload — against products from Palo Alto Networks, Cloudflare, F5, and Imperva.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}