New attack evades major IT vendors’ web application firewalls

Palo Alto Networks, Amazon Web Services, Cloudflare, Imperva, and F5 web application firewalls could be bypassed through a novel attack exploiting the JSON data sharing format, SecurityWeek reports. Claroty researchers who used an SQLMap open source exploitation tool discovered that major IT vendors' WAFs lacked JSON syntax support for inspecting SQL injections, enabling the concealment of the malicious SQL code from the WAFs. While JSON syntax support has already been added by all the affected vendors in response to the findings, other WAFs could still be vulnerable to the attack. "Attackers using this novel technique could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud. This is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems. WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems," said Claroty.