Claroty unveils web application firewall bypassing technique

OT security vendor Claroty developed an attack technique that would allow a threat actor to bypass the web application firewalls of several top vendors.

The technique came from Claroty's threat research team Team82, which revealed the generic bypass in a blog post Thursday. The attack technique is generic, meaning it works against web application firewalls (WAFs) from multiple vendors. According to the blog post, the technique has been successfully tested against products from Amazon Web Services, Cloudflare, F5, Imperva and Palo Alto Networks.

The attack technique works by targeting WAFs that don't support syntax from file and data exchange format JSON as part of their SQL injection detection process. An attacker could attach JSON syntax to SQL injection payloads to trick the firewall. Moreover, "Attackers using this technique would be able to bypass the WAF's protection and use additional vulnerabilities to exfiltrate data."

"Modern database engines today support JSON syntax by default, basic searches and modifications, as well as a range of JSON functions and operators," wrote Claroty vulnerability researcher Noam Moshe. "While JSON support is the norm among database engines, the same cannot be said for WAFs. Vendors have been slow to add JSON support, which allowed us to craft new SQL injection payloads that include JSON that bypassed the security WAFs provide."

Team82 researchers found the generic bypass technique was successful against most WAF vendors they tested, though the blog post did not say which vendors had pre-existing JSON support and were able to fend off the attack.

After the technique's discovery, Claroty notified the affected vendors, and all five added JSON support to their WAFs. A tweet from Claroty claimed this support has effectively negated the threat introduced by the technique. However, Moshe noted in Claroty's blog post that the vendor believes "other vendors' products may be affected, and that reviews for JSON support should be carried out."

Asked about how Claroty decided that now was the right time to publish the research after only five vulnerable vendors had fixed the issue, Moshe told TechTarget Editorial that Claroty attempted to contact others prior to publication.

"We first notified and worked with all the major vendors and verified that they are aware and blocked the concepts we developed," Moshe said. "We also tried to notify some other smaller WAF vendors but they did not respond to us. However, since all the major WAF vendors are now blocking these types of attacks we felt it's the right time to publish."

The bypass technique could be used in a variety of attacks. WAFs are used to protect not just web applications but, as Claroty noted, APIs and cloud-based management platforms as well. For example, Moshe said, attackers could use the bypass to access backend databases and, with the exploitation of additional flaws, exfiltrate data through compromised servers or cloud instances.

"This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud," he wrote in the blog post. "IoT and OT processes that are monitored and managed from the cloud may also be impacted by this issue, and organizations should ensure they're running updated versions of security tools in order to block these bypass attempts."

Claroty has not responded to TechTarget Editorial's request for comment at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.