- Team82’s bypass worked against WAFs sold by five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva.
- Attackers using this technique would be able to bypass the WAF’s protection and use additional vulnerabilities to exfiltrate data.
- The attack technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse.
Team82 announced that it has developed a generic bypass of industry-leading web application firewalls. It works on Palo Alto, F5, Amazon Web Services, Cloudflare, and Imperva WAFs. The vendors acknowledged the disclosure and released fixes to add support for JSON syntax to SQL inspection processes. The method relies on understanding how WAFs identify and flag SQL syntax as malicious, and then finding SQL syntax the WAF is blind to.
Appending JSON syntax to SQL injection
The team started this journey while researching Cambium Networks’ wireless device management platform, including its cnMaestro wireless network manager. The team downloaded an Open Virtualization Format virtual machine of cnMaestro’s on-premises deployment from Cambium’s website. cnMaestro includes many different NodeJS backend services, handling users’ requests to specific routes. Nginx is used to pass the requests by the requested URL to proxy each request to the correct service. cnMaestro offers two different deployment types:
- On-Premise Deployment: A dedicated cnMaestro server is created that is hosted and managed by the user.
- Cloud Deployment: A cnMaestro server hosted on Cambium Networks’ cloud infrastructure; all such instances of cnMaestro are hosted on Amazon AWS’ cloud under Cambium’s organization in a multi-tenant architecture.
cnMaestro cloud deployments on AWS include a main instance of cnMaestro to handle logins, device deployment and saves most of the platform’s data inside the main database. Users who register to the application are given a personal AWS instance with a personal URL and an organizational identifier. The team discovered seven different vulnerabilities in Cambium cnMaestro. One of them allowed the team to discover and develop this technique.
The team stated that popular WAFs didn’t support JSON syntax in their SQL injection inspection process. It enabled the team to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code. Claroty said,
« Team82’s novel attack technique effectively bypasses the ability of a web application firewall to adequately detect SQL injection attacks. We did so through a complex journey that began with unrelated research that was being thwarted by a web application firewall, setting off a chain of events leading to our generic WAF bypass.
Team82 disclosed its findings to five of the leading WAF vendors, all of which have added JSON syntax support to their products. We believe that other vendors’ products may be affected, and that reviews for JSON support should be carried out. Below are Amazon’s and F5’s acknowledgements and fixes, for example. »