Security
Headlines
HeadlinesLatestCVEs

Headline

Transforming SQL Queries Bypasses WAF Security

A team of university researchers finds a machine learning-based approach to generating HTTP requests that slip past Web application firewalls.

DARKReading
#sql#vulnerability#web#mac#amazon#js#aws

BLACK HAT ASIA 2022 — A team of university researchers used basic machine learning to identify patterns that common Web application firewalls (WAFs) fail to detect as malicious, but which can still deliver an attacker’s payload, one of the researchers said in a presentation at the Black Hat Asia security conference in Singapore on Thursday.

The researchers from Zhejiang University in China started with common ways of transforming injection attacks to target Web-application databases using the common Structured Query Language (SQL). Rather than using a brute-force search of potential bypasses, the team created a tool, AutoSpear, that uses a pool of potential bypasses that can be combined using a weighted mutation strategy and then tested to determine the effectiveness of the bypasses at evading the security of WAF-as-a-service offerings.

The tool successfully bypassed — as measured by a false negative rate — all seven of the tested cloud-based WAFs with a variety of success, from a low of 3% for ModSecurity to a high of 63% for Amazon Web Services’ and Cloudflare’s WAFs, said Zhenqing Qu, a Zhejiang University graduate student and member of the AutoSpear team.

“The case studies have shown the potential [of the tool], because detection signatures were not robust due to various vulnerabilities,” he said. “Just adding comments or whitespace can bypass some WAFs, but the most effective mutation depends on specific WAFs.”

Web application firewalls are a common way to defend important cloud software and Web services from attack, filtering out common application attacks and attempts at injecting database commands, also known as SQL injection (SQLi). A 2020 study, for example, found that 4 in 10 security professionals believed that 50% of application-layer attacks that targeted their cloud application bypassed their WAF. Other attacks focus on compromising the WAF through its inspection of traffic.

In their presentation, the team from Zhejiang University focused on ways of transforming requests using 10 different techniques for the four common request methods: POST and GET requests, either using JSON encoding or not. The researchers found that the four different types of requests were treated the same by four different WAF vendors, while others approached the inputs differently.

By systematically mutating the requests with different combinations of the 10 techniques — such as inline comments, substituting whitespace, and substituting the common tautologies (that is, “1=1”) for others (such as, “2<3”) — the researchers found a set of transformations that performed best against each of the seven different WAFs.

"[C]ombining multiple mutation methods, AutoSpear is much more effective in bypassing mainstream WAF-as-a-service solutions due to their vulnerable detection signatures for semantic matching and regular expression matching," the researchers stated in their presentation slides.

SQL injection attacks continue to be a major risk for many companies. The OWASP Top-10 Web Security Risks rated the Injection class of vulnerabilities at the top of its list of risks in 2013 and 2017, and as the No. 3 risk in 2021. The list, released approximately every four years, uses more than 400 broad classes of weaknesses to determine the most significant threats for web applications.

The research team started with creating Web applications that had specific vulnerabilities, and then used its approach to transforms the known exploits into a unique request that the WAF would not catch.

Bypassing Web application firewalls typically focus on three broad approaches. At the architectural level, attackers can find ways to circumvent the WAF and directly access the origin server. At the protocol level, a variety of techniques can use errors or mismatches in encoding assumptions, such as HTTP request smuggling, to bypass WAFs. Finally, at the payload level, attackers can use a variety of encoding transformation to fool the WAF into failing to detect an attack, while still producing a valid request from the standpoint of the database server.

The transformations allowed the attacks to be successful anywhere from 9% of the time to nearly 100% of the time, depending on the WAF and the request format, the team stated in their presentation. In one case, the researcher found that just adding a newline character, "/n", bypassed a major WAF-as-a-service.

AWS, Cloudflare Affected

The research team reported the vulnerabilities to all seven WAF providers: AWS, Cloudflare, CSC, F5, Fortinet, ModSecurity, and Wallarm. Cloudflare, F5, and Wallarm have fixed their issues, Zhenqing said. The team also provided the vendors with bypass patterns that can be used to detect the most common types of transformations.

“The other four are still working with us, since the flaws cannot be easily patched,” he said.

Related news

Black Hat Asia: Firmware Supply-Chain Woes Plague Device Security

The supply chain for firmware development is vast, convoluted, and growing out of control: patching security vulnerabilities can take up to two years. For cybercriminals, it's a veritable playground.

StackHawk Raises $20.7 Million in Series B Funding for Developer-First Application and API Security Testing

Round co-led by Sapphire Ventures and Costanoa Ventures to accelerate product leadership and market growth.

Cloud Firm Appian Awarded $2B in Trade Secret Cyber-Theft Lawsuit

Cloud competitor found liable for breaking into Appian back-end systems to steal company secrets.

On the Air With Dark Reading News Desk at Black Hat Asia 2022

This year's Black Hat Asia is hybrid, with some sessions broadcast on the virtual platform and others live on stage in Singapore. News Desk is available on-demand with prerecorded interviews.

Threat Actors Are Stealing Data Now to Decrypt When Quantum Computing Comes

The technique, called store-now, decrypt later (SNDL), means organizations need to prepare now for post-quantum cryptography.

Android 13 Tries to Make Privacy and Security a No-Brainer

With its latest mobile OS update, Google aims to simplify the adoption of Android’s protective features for users and developers alike.

Orca Security Unveils Context-Aware Shift Left Security to Identify and Prevent Cloud Application Security Issues Earlier

Enterprises can now ship more secure code to production by unifying security across software development, DevOps, and security teams.

Keeper Security Partners with SHI International for New Fully Managed IT Service (SHI Complete)

The partnership integrates Keeper's zero-knowledge, zero-trust enterprise password manager (EPM) into SHI Complete, a comprehensive, fully managed IT service for small and medium-sized businesses (SMBs).

Concentric AI Raises Series A Funding Led by Ballistic Ventures to Autonomously Secure Business-Critical Data

Round of $14.5M to support team of AI experts and cybersecurity leaders targeting overshared data with AI-based solutions for data access governance and loss prevention.

Quantum Ransomware Strikes Quickly, How to Prepare and Recover

NYC-area cybersecurity expert shares the anatomy of a Quantum Ransomware attack and how to prevent, detect and recover from a ransomware attack, in a new article from eMazzanti Technologies.

Material Security Reaches $1.1 Billion Valuation for ‘Zero Trust’ Security on Microsoft and Google Email

Founders Fund leads $100 million Series-C financing, gaining the email security startup unicorn status two years after its launch.

DARKReading: Latest News

Defining &amp; Defying Cybersecurity Staff Burnout