- Ethiack recently tested 17 different WAF configurations from major vendors
- As the complexity of the payloads increased, the success rate of bypassing WAFs rose dramatically
- Even the most sophisticated WAFs could be defeated with relatively simple payloads
Web Application Firewalls (WAF) are not as resilient as organizations were led to assume, and can often be bypassed to inject malicious JavaScript code, experts have warned.
Security researchers Ethiack recently tested 17 different WAF configurations from major vendors to see how successful they are at blocking malicious payloads.
The in-depth report centered on a real-world penetration test against ASP.NET applications protected by a highly restrictive WAF. However, despite the firewall’s configuration, the researchers discovered they could abuse cross-site scripting (XSS) vulnerabilities through a technique called HTTP parameter pollution.
Analyzing parameters in isolation
This method abuses how different web frameworks handle multiple parameters with the same name, often concatenating them in ways that can be manipulated to inject malicious JavaScript code.
Ethiack said that as the complexity of the payloads increased, the success rate of bypassing WAFs rose dramatically. For simple injections, they had a success rate of 17.6%, rising to more than 70% for advanced “parameter pollution” techniques.
Even machine learning-based WAFs, which are designed to detect novel threats, were vulnerable to subtle parsing tricks and obfuscation, it was said. But Ethiack’s most surprising discovery was that even the most sophisticated WAFs could be defeated with relatively simple payloads.
The problem with WAFs seems to be that they analyze parameters in isolation, relying heavily on pattern matching.
As a result, they’re blind to the nuanced ways web apps parse and interpret input. For example, ASP.NET concatenates duplicate parameters with commas, and JavaScript treats comma-separated expressions as valid executable code.
By crafting payloads that split malicious code across multiple parameters, the researchers were able to bypass detection and execute JavaScript in the browser.
“This finding highlighted a critical vulnerability in basic security strategies: organizations may invest in costly WAF technologies while remaining vulnerable to attacks that exploit basic implementation gaps or configuration oversights,” the researchers concluded.
“This reminds us that WAFs must not be used as a fix for the root problems of insecure code.”
You might also like
https://cdn.mos.cms.futurecdn.net/3fu9etwmGBBum48JxjAACQ.jpg
Source link
