You are here

Abusing JSON-Based SQL to Bypass WAF

Keywords: 
JSON
Description: 

On December 8th, 2022 Team82 published a generic bypass of industry-leading web application firewalls. Details, including the list of known affected WAF vendors, can be found in [1].

Airlock Gateway and Microgateway is not affected

Details:

The filter bypass technique relates to SQL injection. The attack technique involves appending JSON syntax to SQL injection payloads that certain WAFs are unable to parse. All supported Airlock Gateway and Microgateway versions prevent such kind of evasion techniques. The following list shows some attack strings and block information of Airlock (Deny Rule short name and security level)

<standard (SQL_005A,SQL_055A), strict (SQL_005A,SQL_050A,SQL_055A)> sqli=' or '{"b":2}'::jsonb <@ '{"a":1, "b":2}'::jsonb --
<standard (SQL_005A), strict (SQL_005A)> sqli=' or '{"b":2}'::jsonb <@ '{"a":1, "b":2}
<standard (SQL_005A,SQL_055A), strict (SQL_005A,SQL_050A,SQL_055A)> sqli=' or '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7 --
<standard (SQL_005A), strict (SQL_005A)> sqli=' or '{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = '7
<standard (SQL_005A,SQL_055A), strict (SQL_005A,SQL_050A,SQL_055A)> sqli=' or JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan' --
<standard (SQL_005A), strict (SQL_005A)> sqli=' or JSON_EXTRACT('{"id": 14, "name": "Aztalan"}', '$.name') = 'Aztalan
<standard (SQL_005A), strict (SQL_005A)> sqli=' or data @> '{"a":"b"}' ==
<standard (SQL_005A), strict (SQL_005A)> sqli=' or data @> '{"a":"b"}' == '1

Airlock's Deny Rule filters provide an extremely high level of security, as they are tested 24x7 in a CTF-like bug bounty program. We are happy to accept any interested hacker into the program and reward any new bypass technique with money. Links to sign up: https://hackerone.com/airlock or https://www.bugbounty.ch/programs

Resolution: 

No action required.

General advice: Make sure that Airlock's Deny Rules are properly configured, i.e.:

  • Use the latest Airlock Gateway/Microgateway version to benefit from the lastest Deny Rules.
  • Configure the rules in Strict mode to cover most vulnerabilities (recommended if the integration effort is reasonable) or in Standard mode. Basic mode should be used only in special cases.
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required