Bad news - your web firewall may definitely not be as resilient as you may have thought

News
By published

Configuration oversights can still be leveraged in attacks, experts warn

A 3d illustration of a server room with node base programming. Data design element. Concept of big data storage and cloud computing technology.
(Image credit: Shutterstock)
  • Ethiack recently tested 17 different WAF configurations from major vendors
  • As the complexity of the payloads increased, the success rate of bypassing WAFs rose dramatically
  • Even the most sophisticated WAFs could be defeated with relatively simple payloads

Web Application Firewalls (WAF) are not as resilient as organizations were led to assume, and can often be bypassed to inject malicious JavaScript code, experts have warned.

Security researchers Ethiack recently tested 17 different WAF configurations from major vendors to see how successful they are at blocking malicious payloads.

The in-depth report centered on a real-world penetration test against ASP.NET applications protected by a highly restrictive WAF. However, despite the firewall’s configuration, the researchers discovered they could abuse cross-site scripting (XSS) vulnerabilities through a technique called HTTP parameter pollution.

Analyzing parameters in isolation

This method abuses how different web frameworks handle multiple parameters with the same name, often concatenating them in ways that can be manipulated to inject malicious JavaScript code.

Ethiack said that as the complexity of the payloads increased, the success rate of bypassing WAFs rose dramatically. For simple injections, they had a success rate of 17.6%, rising to more than 70% for advanced “parameter pollution” techniques.

Even machine learning-based WAFs, which are designed to detect novel threats, were vulnerable to subtle parsing tricks and obfuscation, it was said. But Ethiack’s most surprising discovery was that even the most sophisticated WAFs could be defeated with relatively simple payloads.

The problem with WAFs seems to be that they analyze parameters in isolation, relying heavily on pattern matching.

As a result, they’re blind to the nuanced ways web apps parse and interpret input. For example, ASP.NET concatenates duplicate parameters with commas, and JavaScript treats comma-separated expressions as valid executable code.

By crafting payloads that split malicious code across multiple parameters, the researchers were able to bypass detection and execute JavaScript in the browser.

“This finding highlighted a critical vulnerability in basic security strategies: organizations may invest in costly WAF technologies while remaining vulnerable to attacks that exploit basic implementation gaps or configuration oversights,” the researchers concluded.

“This reminds us that WAFs must not be used as a fix for the root problems of insecure code.”

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.