A new attack method can bypass popular application free fire wall hacker (WAFs) from different manufacturers, allowing hackers new to enter networks and potentially acquire a confidential client and corporate data.
Following the requirements set, monitor, and block HTTP(S) traffic to and from a web application and defend against threats like cross-site scripting (XSS), file inclusion, and SQL injection. Web application firewallbypass are an essential line of protection (SQLi).
The method was developed by Claroty’s threat research team Team82, which published a blog post on Thursday revealing the generic bypass firewalls. Because the attack method is generic, it may be used to circumvent web application bypassing firewalls (WAFs) from a variety of manufacturers. The method has reportedly been successfully tested against products from Amazon Web Services, Cloudflare WAF, F5 WAF, Imperva, and Palo Alto Networks, according to the blog post.
Claroty’s researchers discovered the method following an analysis of Cambium Networks’ wireless device management platform. They found a SQL injection issue that could allow unauthorised access to private data such as session cookies, tokens, SSH keys, and password hashes.
Noam Moshe, a researcher at Claroty, explained that the generic bypass “involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.” The majority of WAFs can quickly identify SQLi attacks. However, adding JSON to SQL syntax attack the WAF bypass sensitive to these violent attacks.
The security company for industrial and IoT devices said that their method was effective against WAFs from companies such as Amazon Web Services (AWS WAF), Cloudflare, F5, Imperva, and Palo Alto Networks, all of which have since provided updates to support JSON syntax during SQL injection online inspection.
Claroty introduced support for the technique to the free fire wall hack app source SQLMap exploitation tool to show the risks of this attack in the reality.
An attacker with the capacity to survey bypasser online the security guardrail that WAFs provide against malicious external HTTP(S) traffic can get initial access to a target environment for additional post-exploitation.
The Claroty bypass method focuses on WAFs’ lack of JSON support to create malicious SQL injection payloads that use JSON syntax in order to get around the security measures.
“Attackers using this unique approach could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via direct access to the server or over the cloud,” explained Moshe. “This is a dangerous bypass, especially as more organisations continue to migrate more business and functionality to the cloud. IoT and OT processes that are monitored and managed from the cloud may also be impacted by this issue, and organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts.” Claroty said. “This is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems. WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems.”
“We first notified and worked with all the major vendors and verified that they are aware and blocked the concepts we developed,” Moshe said. “We also tried to notify some other smaller WAF vendors, but they did not respond to us. However, since all the major WAF vendors are now blocking these types of attacks we felt it’s the right time to publish.”
Various attacks could employ the bypass method. As Claroty pointed out, WAFs are used to protect not only online apps but also APIs and cloud-based management platforms. For instance, attackers can utilise the web bypasser to get into backend databases and, with the help of other vulnerabilities, exfiltrate data through hacked servers or cloud instances, according to Moshe.
All concerned manufacturers responded to the research by including JSON syntax support in their products, although Claroty thinks additional WAFs could be vulnerable.
To get more tech updates, click here.