Read Time:1 Minute, 36 Second

Web application firewalls (WAFs) from different vendors can now be bypassed by a new attack technique, allowing hackers to enter systems and potentially acquire confidential client and business data.

WAFs are designed to detect and block common web-based attacks to protect website visitors from being redirected to phishing or malware sites. 

To filter, monitor, and block HTTP(S) traffic to and from a web application and defend against threats like cross-site scripting (XSS), file inclusion, and SQL injection, web application firewalls are an essential line of protection (SQLi).

Noam Moshe, a vulnerability researcher at Claroty, explained that the generic bypass “involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.” Most WAFs can quickly identify SQL assaults, but the WAF became unaware of these attacks by appending JSON to the SQL syntax.

The industrial and IoT cybersecurity firm said that its method was effective against WAFs made by companies, including Amazon Web Services (AWS), Cloudflare, F5, Imperva, and Palo Alto Networks, all of which have since provided patches to support JSON syntax SQL injection inspection.

An attacker can initially access a target environment and get beyond a security guardrail provided by WAFs, which serve as a security barrier against malicious external HTTP(S) traffic.

“Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud,” Moshe explained.

“This is a dangerous bypass, especially as more organisations migrate more business and functionality to the cloud.”

The Claroty bypass mechanism relies on WAFs’ lack of JSON support to create malicious SQL injection payloads that include JSON syntax to get around the security measures.

While this new attack method represents a significant threat to businesses, it is important to remember that WAFs are still an effective and essential security tool for protecting them from malicious cyberattacks.

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
EDU woman login twitter app mobile phone Previous post Musk’s Twitter Files Are a Hit Among Conspiracy Theorists
IP Phone - Technology of Communication Next post CISCO Issues Warning Regarding High-Severity Unpatched IP Phone Firmware Bug