Cybersecurity researchers have demonstrated a classy approach for bypassing Net Software Firewalls (WAFs) utilizing JavaScript injection mixed with HTTP parameter air pollution, exposing essential vulnerabilities in fashionable internet safety infrastructure.
The analysis, carried out throughout an autonomous penetration take a look at, revealed how attackers can exploit parsing variations between WAF engines and internet software frameworks to execute malicious code regardless of strict safety configurations.
The vulnerability emerged throughout testing of an ASP.NET software protected by a extremely restrictive WAF.
Whereas the underlying Cross-Web site Scripting (XSS) vulnerability was easy, involving breaking out of a JavaScript string delimited by single quotes, standard XSS payloads have been successfully blocked by the safety system.
This state of affairs introduced researchers with a traditional problem: demonstrating exploitability when defensive mechanisms actively forestall conventional exploitation strategies.
The breakthrough got here by way of understanding ASP.NET’s distinctive parameter dealing with habits. When a number of HTTP parameters share the identical identify, ASP.NET concatenates their values utilizing commas by way of the HttpUtility.ParseQueryString() technique.
This documented Microsoft habits states that “a number of occurrences of the identical question string parameter are listed as a single entry with a comma separating every worth.”
Ethiack analysts recognized this parsing discrepancy as the important thing to bypassing WAF detection whereas sustaining legitimate JavaScript execution.
The assault leverages JavaScript’s comma operator, which permits a number of expressions to execute sequentially inside a single assertion.
By distributing malicious code throughout a number of parameters, researchers might assemble payloads that seem benign individually however mix to type executable JavaScript.
As an illustration, the question string /?q=1’&q=alert(1)&q=’2 turns into 1′,alert(1),’2 after ASP.NET processing, creating syntactically legitimate JavaScript that executes the alert perform when inserted into weak contexts.
Technical Evaluation and WAF Evasion Mechanisms
The analysis methodology concerned testing 17 totally different WAF configurations throughout main cloud suppliers and safety distributors, revealing vital disparities in detection capabilities.
Azure WAF (Supply – Ethiack)
The testing employed three distinct payload sorts, every demonstrating rising sophistication in evasion strategies.
Framework parameter air pollution habits:-
FrameworkInput ExampleOutput ResultASP.NETparam=val1¶m=val2param=val1,val2ASPparam=val1¶m=val2param=val1,val2Golang web/httpparam=val1¶m=val2param=[‘val1′,’val2’]Python – Zopeparam=val1¶m=val2param=[‘val1′,’val2’]Node.jsparam=val1¶m=val2param=val1,val2
Probably the most revealing discovering emerged from payload complexity evaluation. Easy injection makes an attempt achieved solely a 17.6% bypass fee in opposition to examined WAFs, whereas refined parameter air pollution strategies reached 70.6% success charges.
The analysis recognized three main causes for WAF vulnerability: particular person parameter evaluation with out relationship understanding, lack of framework-specific parsing simulation, and reliance on conventional XSS signatures that miss functionally equal however structurally totally different payloads.
Google Cloud Armor (Supply – Ethiack)
Payload effectiveness evaluation:-
Payload TypeExampleSuccess RateSimple Injectionq=’;alert(1),’17.6percentPollution + Semicolonq=1’+1;let+asd=window&q=def=”al”+’ert’52.9percentPollution + Line Breaksq=1’%0aasd=window&q=def=”al”+”ert”70.6%
Autonomous testing techniques demonstrated outstanding adaptability, discovering beforehand unknown bypasses for supposedly safe configurations.
Notably, Azure WAF was defeated utilizing the payload take a look at’;alert(1);//, which exploits parsing discrepancies in escaped character dealing with between WAF sample matching and JavaScript interpretation.
The analysis underscores the essential want for WAFs to implement framework-specific parsing logic and context-aware evaluation capabilities, although such enhancements would considerably affect efficiency in manufacturing environments.
Enhance your SOC and assist your workforce defend what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
