WAF Bypass Using JSON-Based SQL Injection Attacks

Keep up to date with latest blog posts

SQL injection (SQLi) is a major attack vector for websites and the third most common security risk for web applications, according to OWASP Top Ten 2021. Most web application firewalls (WAFs) can detect and block SQLi attacks fairly easily. However, recent research showed that many WAF vendors could not block SQLi attacks that abuse JSON for delivery [1]. Picus Labs added this new WAF bypass method for SQL injection to Picus Threat Library

In this blog post, we explain how WAFs block SQLi attacks and how JSON-based SQLi attacks bypass WAFs in detail.

Simulate Web Application Attacks with 14-Day Free Trial of Picus Platform

What is SQL Injection Attack?

SQL is a query language designed to manage data stored in relational databases. Many web applications and websites use SQL to interact with the relational database in the backend. In some cases, the SQL statements are created using the parameters received from their users. For example, when a user logs in, the service checks the credentials with the following SQL query.

SELECT * FROM users WHERE username = 'Alice' AND password = 'pass123'

SQL injection (SQLi) is a type of injection vulnerability that allows adversaries to execute malicious SQL commands in the database. Here are some common exploitation examples for SQLi:

  • Harvesting credentials from the database
  • Reading and modifying data stored in the database
  • Executing operating system commands

Example 1: SQL injection example [2]

How WAFs Prevent SQL Injection Attacks

Security professionals recommend developers use the following approaches to protect against SQLi attacks:

  • prepared statements
  • input sanitization
  • whitelisting/typed processing of user inputs
  • proper escaping

Although these approaches are valid ways of mitigating SQLi attacks, they are highly prone to human error. That's why many organizations are also using Web Application Firewalls (WAFs) to detect and block SQLi attacks along with other attack types, such as cross-site scripting (XSS) and file inclusion.

WAFs filter, monitor, and block HTTP traffic to and from a web application. To block SQLi attacks, WAF vendors maintain a signature library so that WAFs can detect and match SQL keywords and patterns.

Example 2: SQLi attempt blocked by WAF [3]

Bypassing WAF: SQL Injection via JSON-based Requests

Even though WAFs are great tools against SQLi attacks, they have their limitations, and adversaries use various methods to bypass WAFs. Recently, Team82 of Claroty published a method for bypassing WAF for SQL injection attacks using JSON-based SQL commands [1]. In their research, Team82 discovered that many major WAF vendors, such as Palo Alto Network, Amazon Web Services (AWS), Cloudflare, F5, and Imperva, do not support JSON syntax in their products. As a result, SQL injection attempts that use JSON syntax are not inspected properly and allowed to pass their WAFs. Since major databases such as PostgreSQL, MySQL, SQLite, and Microsoft SQL Server support JSON, adversaries may abuse this functionality to deliver their malicious SQL commands using JSON.

' or JSON_LENGTH("{}") <= 8896 union distinctrow select @@version#

Example 3: Bypassing WAF using JSON-based SQL Statement

After discovering the bypass method, Team82 disclosed their findings to leading WAF vendors, and they added JSON syntax support to their WAF products.

How Picus Helps Simulate JSON-Based SQL Injection Attacks?

We also strongly suggest simulating JSON-Based SQL Injection attacks to test the effectiveness of your security controls against web application attacks using the Picus Complete Security Validation Platform. You can test your defenses against other critical severity web application attacks, such as ProxyShell and Log4Shell, within minutes with a 14-day free trial of the Picus Platform.

Threat ID

Action Name

Attack Module

79258

SQL Injection Evasion With JSON-Based SQL Web Attack Campaign

Web Application

69811

MySQL Web Attack Campaign

Web Application

81404

Postgresql Web Attack Campaign

Web Application

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_SQLI_SQLMAP

Sqlmap Automated SQL Injection Tool

Cisco Firepower NGFW

1.13990.27

SQL union select - possible sql injection attempt - GET parameter

Cisco Firepower NGFW

1.24172.2

SQL use of concat function with select - likely SQL injection

Cisco Firepower NGFW

1.19437.6

INDICATOR-OBFUSCATION select concat statement - possible sql injection

Citrix Web App Firewall

 

Blocked by 'HTML SQL Injection' Security Check

F5 BIG-IP ASM

200002149

SQL-INJ expressions like "and 1"="1" (5)

F5 BIG-IP ASM

200002420

SQL-INJ expressions like "' and 1 --"

F5 BIG-IP ASM

200102064

SQL-INJ JSON functions (Parameter)

F5 BIG-IP ASM

200002550

SQL-INJ "end-quote UNION" (Parameter)

F5 BIG-IP ASM

200000073

SQL-INJ "UNION SELECT" (Parameter)

F5 BIG-IP ASM

200002736

SQL-INJ ' UNION SELECT (Parameter)

F5 BIG-IP ASM

200002885

SQL-INJ "UNION SELECT" (2) (Parameter)

F5 BIG-IP ASM

200002229

SQL-INJ "SELECT CONCAT()"

F5 BIG-IP ASM

200002951

SQL-INJ CONCAT(0x) (Parameter)

F5 BIG-IP ASM

200002310

SQL-INJ "select 0x" (Parameter)

FortiGate NGFW

15621

web_misc: HTTP.URI.SQL.Injection

FortiWeb Web Application Security

30000194

SQL Injection

Imperva Web Application Firewall

 

SQL Injection UNION SELECT Attack

McAfee

0x40283400

HTTP: SQL Injection - union Oracle

McAfee

0x40281c00

HTTP: SQL Injection - Detection MySQL

ModSecurity

942180

Detects basic SQL authentication bypass attempts 1/3

ModSecurity

942200

Detects MySQL comment-/space-obfuscated injections and backtick termination

ModSecurity

942260

Detects basic SQL authentication bypass attempts 2/3

ModSecurity

942300

Detects MySQL comments

ModSecurity

942410 942480 942150

SQL Injection Attack

ModSecurity

942450

SQL Hex Encoding Identified

ModSecurity

942260

Detects basic SQL authentication bypass attempts 2/3

ModSecurity

942440

SQL Comment Sequence Detected

Palo Alto Networks NGFW

30514

HTTP SQL Injection Attempt

Snort IPS

1.13990.27

SQL union select - possible sql injection attempt - GET parameter

Snort IPS

1.2006446.11

ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT

Snort IPS

1.2011042.3

ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt

Snort IPS

1.24172.2

SQL use of concat function with select - likely SQL injection

TippingPoint TPS

3593

HTTP: SQL Injection in URL Parameters (UNION)

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Validation Platform.

References

[1] “{JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF,” Claroty. https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf. [Accessed: Dec. 13, 2022]

[2] “Exploits of a Mom,” xkcd. https://xkcd.com/327/. [Accessed: Dec. 13, 2022]

[3] “Bypassing WAF by Playing with Parameters,” Sep. 06, 2020.  https://www.notsoshant.io/blog/bypassing-waf-by-playing-with-parameters/. [Accessed: Dec. 13, 2022]

Subscribe

Keep up to date with latest blog posts