A JSON-Based SQL Injection Capable of Bypassing Web Application Firewalls
Discover more from OpenLampTech
A JSON-Based SQL Injection Capable of Bypassing Web Application Firewalls
Most vendors have patched the vulnerability. Learn more about this SQL Injection exploit in this curated resource from OpenLampTech.
I’m so grateful you are here reading OpenLampTech! 👍
Thank you!!!
If someone awesome shared this newsletter with you and you are not yet subscribed, please use the Subscribe button below and join:
In this OpenLampTech report, I am sharing a curated content resource based on several articles available across the internet from many sources, about a recently discovered JSON-Based SQL Injection attack.
To set things straight, although I like to think of myself as having a high-level fluency in SQL as a practitioner and developer, I am not an expert on SQL Injection attacks nor on this particular vulnerability.
I created this OpenLampTech report in order to learn more about this type of SQL Injection attack involving JSON - both technologies of which I work with as a web developer myself - and to share with other’s who are interested in knowing more about it.
What we know.
This JSON-Based SQL Injection bypass technique, was discovered by Claroty’s Team82 researchers (see the report here).
Terms and Definitions
This is a list of terms and definitions used throughout several of the below article’s verbiage.
Web Application Firewalls (WAF) - “A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service.” (source)
SQL Injection (SQLi) - “In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution…” (source)
JavaScript Object Notation (JSON) - “JSON (JavaScript Object Notation, is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other serializable values).” (source)
Note: All quoted material for each linked shared article is pulled directly from the source and are in the words of the publishing author.
JSON-based SQL injection attacks trigger need to update web application firewalls
CSO / Published Dec 8, 2022
…Security researchers have developed a generic technique for SQL injection that bypasses multiple web application firewalls (WAFs). At the core of the issue was WAF vendors failing to add support for JSON inside SQL statements, allowing potential attackers to easily hide their malicious payloads…
…to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes from the server database.
…“While most WAFs will use a combination of both methodologies in addition to anything unique the WAF does, they both have one common weakness: They require the WAF to recognize the SQL syntax,” the researchers said. “This triggered our interest and raised one major research question: What if we could find SQL syntax that no WAF would recognize?”...
NEW JSON-BASED SQL INJECTION ATTACKS ALLOW BYPASSING PALO ALTO, F5, AWS, CLOUDFLARE, AND IMPERVA WAF
INFORMATION SECURITY NEWSPAPER / Published Dec 8, 2022
…Team82 disclosed a new attack approach that functions as the first general bypass of numerous web application firewalls that are marketed by market-leading manufacturers…
…This method depends first on comprehending the manner in which WAFs recognize and label SQL syntax as potentially harmful, and then on locating SQL syntax that the WAF is oblivious to. It turns out that this was a JSON file…
…While most database engines provide support for JSON, same cannot be stated for web application firewalls (WAFs)...
JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs
THE DAILY SWIG / Published Dec 9, 2022
…Several leading vendors’ WAFs failed to support JSON syntax in their SQL injection inspection process, allowing security researchers from Claroty’s Team82 to “prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code”...
…The hack worked against WAFs from five leading vendors: Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva…
…“Major WAF vendors lacked JSON support in their products, despite it being supported by most database engines for a decade,” Claroty notes…
SECURITY BOULEVARD / Published Dec 9, 2022
…Modern databases, such as PostgreSQL, natively support JSON as data values that can be queried. This capability uses JSON-specific operators, including an operator to test for key presence. Imperva Threat Research has investigated these database native JSON operators and discovered numerous SQL injection (SQLi) bypasses…
…Ultimately, if a database has support for JSON data values and operators, an attacker could possibly compromise this data…
…Generally, Web Application Firewalls (WAFs) can catch the use of “=” in specific values (e.g. query parameters, headers, etc.) as an indicator of SQL injection. These specific attack payloads usually contain “=”, “<”, “>” and then the database-specific escape sequence (“–”). What makes JSON operators dangerous is that an attacker can craft a tautology that does not use an equal sign, which will evade and bypass traditional WAF SQLi detection…
Claroty unveils web application firewall bypassing technique
TECHTARGET / Published Dec 9, 2022
…The attack technique works by targeting WAFs that don't support syntax from file and data exchange format JSON as part of their SQL injection detection process…
…"While JSON support is the norm among database engines, the same cannot be said for WAFs. Vendors have been slow to add JSON support, which allowed us to craft new SQL injection payloads that include JSON that bypassed the security WAFs provide."...
…After the technique's discovery, Claroty notified the affected vendors, and all five added JSON support to their WAFs…
Experts devised a technique to bypass web application firewalls (WAF) of several vendors
SECURITY AFFAIRS / Published Dec 9, 2022
…The researchers discovered a Cambium SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes…
…"Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.” reads the report published by Claroty. “Using syntax from different database engines, we were able to compile the following list of true statements in SQL"…
…Claroty researchers used the JSON operator ‘@<’ to throw the WAF into a loop and supply malicious SQLi payloads…
New attack evades major IT vendors’ web application firewalls
SC MEDIA / Published Dec 9, 2022
…Claroty researchers who used an SQLMap open source exploitation tool discovered that major IT vendors' WAFs lacked JSON syntax support for inspecting SQL injections, enabling the concealment of the malicious SQL code from the WAFs…
…While JSON syntax support has already been added by all the affected vendors in response to the findings, other WAFs could still be vulnerable to the attack…
…WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems," said Claroty…
I hope you found this curated resource helpful and informative.
Please reply back to me should you see any inconsistencies in the content.
I appreciate any tips and advice you have for this type of media reporting (journalism) content as I have plans on publishing more in the OpenLampTech publication moving forward.
Thank you for reading. I hope you have a great rest of your week.
Take care.
Joshua Otwell
Visit my developer blog, Digital Owl’s Prose, where I write regularly on CodeIgniter, PHP, WordPress, and SQL.
OpenLampTech is a reader-supported publication. You can support the publication with a virtual coffee for as little as $3 (USD).