"JSON-Based SQL Injection Attacks Trigger Need to Update Web Application Firewalls"
Security researchers have devised a generic SQL injection technique that circumvents multiple Web Application Firewalls (WAFs). WAF vendors have failed to add support for JSON inside SQL statements, allowing potential attackers to easily conceal their malicious payloads. The bypass method, discovered by Claroty's Team82 researchers, has been confirmed to work against WAFs from Palo Alto Networks, Amazon Web Services (AWS), Cloudflare, F5, and Imperva. Customers should update their WAF deployments now that these vendors have released patches. However, the technique may also work against WAF solutions from other vendors, so users should check with their service providers to see if they can detect and block such attacks. Claroty researchers developed this attack technique while investigating vulnerabilities in Cambium Networks' cnMaestro wireless device management platform, which can be deployed on-premises or in the cloud. Cambium's cloud service provides a separate isolated instance of the cnMaestro server for each customer and uses AWS as the backend. The researchers discovered seven flaws in cnMaestro, including a SQL injection flaw that allowed them to steal users' sessions, SSH keys, password hashes, tokens, and verification codes from the server database. SQL injection is a common and dangerous web application vulnerability that allows attackers to inject arbitrary SQL queries into requests, which the application then executes against the database with its own privileges. After confirming that their exploit worked on an on-premises deployment of cnMaestro, the researchers tried it on a cloud-hosted instance. They deduced from the server response that the request was most likely blocked by the AWS WAF, which identified it as malicious. The researchers decided to investigate how the AWS WAF detects SQL injection attempts by hosting their own vulnerable application on AWS and sending malicious requests to it. They concluded that the WAF identifies SQL syntax in two primary ways: searching for specific words in the request that it recognizes as SQL syntax and attempting to parse different parts of the request as valid SQL syntax. While most WAFs will use a combination of both methodologies and anything unique to the WAF, they share one flaw in that they both require the WAF to recognize SQL syntax. This article continues to discuss the newly discovered method that uses JSON syntax to deliver malicious payloads bypassing SQL injection protections in popular WAFs.