Full Report
While looking at Cambium, the authors found a simple SQL injection vulnerability. As always, the authors were not using parameterized queries, leading to string concatenation for a SQL injection. However, the exploitation of this is what was interesting. There are a few limitations on the query. First, only integers can be retrieved from the rows. Using a UNION, we can query from other tables, but only integers. To get around this, the author converted each character into an integer. The second limitation was the rows being returned in random order, since this was an asynchronous call. To get the ordering, the author prepended the row index to the number by multiplying it by 1000 and the row index. The final limitation was the asynchronous call can timeout prior to returning the data. To make this more efficient, the author added more information to each request. In particular, they converted the character to a BIGINT, which can store 8 bytes of data. This resulted in the ability to store 7 times as much data as before. They tested this working on a local instance. When testing this on the cloud, they ran into an AWS Web Application Firewall (WAF) issue. According to the authors, WAFs either have a blacklist of words for recognizing SQL syntax or they try to parse SQL syntax from the request. The WAFs are trying to recognize the SQL syntax in the request. They tested hundreds of requests with many obscure features. In recent generations of SQL, there is support for JSON inside of it. While testing JSON, the author noticed that using JSON in the query made the WAF unable to parse the query. Neat! Does this work on other things? It turns out that other major vendors of firewalls were vulnerable to the same JSON trick as well! Considering WAF's need to be incredibly fast in their parsing, it makes sense they would not support every feature. Overall, good post for the vulnerability exploitation and WAF bypass.
Analysis Summary
# Vulnerability: Generic WAF Bypass via JSON Syntax in SQL Injection Payloads
## CVE Details
- CVE ID: Not explicitly provided in the summary for the WAF bypass itself. The underlying vulnerability was found in a Cambium product but the summary focuses on the WAF bypass technique.
- CVSS Score: N/A (Focus is on the bypass technique impacting multiple products)
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) leveraged against WAFs.
## Affected Systems
- Products: Web Application Firewalls (WAFs) from leading vendors.
- Versions: Vendor-specific versions prior to patches that added support for inspecting JSON syntax within SQL contexts.
- Configurations: WAFs employing blacklist or syntax-parsing logic for SQL injection detection that lacked comprehensive support for modern SQL features like JSON functions.
- **Specifically affected WAF vendors mentioned:** Palo Alto Networks, Amazon Web Services (AWS WAF), Cloudflare, F5, and Imperva.
## Vulnerability Description
The vulnerability is not a flaw in the application database itself (though one application, Cambium, was noted as having vulnerable SQL injection), but rather a **generic bypass technique against multiple major Web Application Firewall (WAF) products**.
The flaw stems from WAFs using incomplete SQL parsing/inspection methods (often relying on blacklists or basic syntax analysis) that fail to recognize SQL commands when they are obfuscated or augmented with modern SQL syntax that the WAF's low-latency parser does not support—specifically, JSON functions. By including JSON syntax within SQL injection payloads, the WAF's inspection engine is unable to correctly parse the request, allowing the malicious query to reach the backend database uninspected.
The underlying SQL Injection technique described involved exploiting asynchronous calls where:
1. Only integers could be retrieved.
2. Rows returned in random order (mitigated by prepending an index multiplier: `index * 1000 + value`).
3. Payloads were optimized by converting data to `BIGINT` to maximize data transfer per request, overcoming timeout limitations.
## Exploitation
- Status: Proof of Concept (PoC) available, the technique was successfully demonstrated against five major WAF vendors. Not stated as exploited in the wild.
- Complexity: Medium (Requires specific knowledge of the underlying SQL vulnerability limitations and deep understanding of WAF parsing mechanisms).
- Attack Vector: Network (HTTP Request).
## Impact
- Confidentiality: High (Successful bypass allows attackers to exfiltrate sensitive data via the underlying SQL Injection vulnerability).
- Integrity: High (Allows modification or injection of unauthorized SQL commands).
- Availability: Medium (A successful high-volume injection attempt could lead to denial of service, though the primary impact is data exfiltration).
## Remediation
### Patches
- Vendors (Palo Alto Networks, AWS, Cloudflare, F5, Imperva) implemented fixes to update their WAF inspection processes to correctly parse and analyze SQL syntax containing JSON features. Specific patch versions are vendor-dependent.
### Workarounds
- **Specific to the WAF bypass:** Security teams should immediately ensure WAFs are configured to reject requests containing recognized JSON syntax adjacent to traditional SQL keywords, or alternatively, rely on other layered defenses until updates are applied.
- **General SQLi mitigation (for the underlying database issue):** Developers must cease using string concatenation for building SQL queries and immediately implement **parameterized queries** or **prepared statements** across all database interactions involving untrusted input.
## Detection
- **Indicators of Compromise:** Look for HTTP requests containing unusual combinations of traditional SQL keywords (e.g., `SELECT`, `UNION`) immediately adjacent to JSON formatting syntax (e.g., `{`, `[`) being sent to web applications.
- **Detection Methods and Tools:** WAF rulesets should be updated or manually configured to inspect the request body/parameters for anomalies that mix SQL keywords with JSON structures, forcing the request to fail inspection if unusual combinations are detected. Organizations should review previous logs for requests that might have already bypassed older WAF rules.
## References
- Claroty Blog Post: `hXXps://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf`