"Transforming SQL Queries Bypasses WAF Security"
A team of researchers at Zhejiang University in China used basic Machine Learning (ML) to identify patterns that common Web Application Firewalls (WAFs) fail to detect, but which can deliver a threat actor's payload. The researchers started with common ways of transforming injection attacks to target Web-application databases through the common Structured Query Language (SQL). Rather than conducting a brute-force search for possible bypasses, the team developed AutoSpear, a tool that uses a pool of potential bypasses that can be combined using a weighted mutation strategy and then tested to see how effective the bypasses are at circumventing the security of WAF-as-a-service offerings. According to Zhenqing Qu, a Zhejiang University graduate student and member of the AutoSpear team, the tool successfully bypassed all seven of the tested cloud-based WAFs with varying degrees of success, ranging from a low of 3 percent for ModSecurity to a high of 63 percent for Amazon Web Services' and Cloudflare's WAFs. The team focused their presentation on ways to convert requests utilizing ten distinct techniques for the four common request methods: POST and GET requests, both with and without JSON encoding. The researchers discovered that four different WAF vendors addressed the four different types of requests the same way, whereas others approached the inputs differently. SQL injection attacks are still a significant risk for many businesses. In 2013, 2017, and 2021, the OWASP Top-10 Web Security Risks ranked the injection class of vulnerabilities high. All seven WAF providers were notified of the vulnerabilities, but only Cloudflare, F5, and Wallarm have fixed their problems, according to Zhenqing. The researchers also offered bypass patterns to the vendors, which can be used to detect the most common transformations. AWS, CSC, Fortinet, and ModSecurity are still working with the team because the flaws cannot be easily patched. This article continues to discuss the researchers' ML-based approach to generating HTTP requests that evade WAFs.
Dark Reading reports "Transforming SQL Queries Bypasses WAF Security"