Web Application Firewall Bypassed via JS Injection with Parameter Pollution

Cybersecurity

Recent advancements in autonomous penetration testing have unveiled a novel method to bypass even the most restrictive Web Application Firewalls (WAFs) using cross-site scripting (XSS) techniques.

Technical Findings

Security researchers identified a vulnerability in an ASP.NET application, protected by a well-configured WAF. Traditional XSS payloads were blocked, but by exploiting HTTP parameter pollution, malicious code was distributed across multiple query parameters. This resulted in syntactically valid JavaScript that the WAF did not detect.

The process involved understanding parsing discrepancies between the WAF, the ASP.NET parameter parser, and the JavaScript interpreter used by browsers. The researchers leveraged ASP.NET’s HttpUtility.ParseQueryString() method, which concatenates duplicate parameters with commas, to inject code without triggering typical XSS signatures.

Testing WAF Configurations

Seventeen WAF configurations, including AWS WAF, Google Cloud Armor, Azure WAF, and others, were tested with various payloads:

1. Simple injection: q=';alert(1),
2. Parameter pollution with semicolon.
3. Parameter pollution with line breaks.
4. Heuristic-based engine payloads.

Google Cloud Armor, Azure WAF Default Rule Set 2.1, and open-appsec configurations successfully blocked all manual payloads. However, other configurations, including AWS WAF and F5, were consistently bypassed, especially as payload complexity increased.

Autonomous Hackbot Results

The researchers deployed an autonomous hackbot against the remaining WAFs:

• Azure WAF: Bypassed using an escaped backslash, exploiting mismatched escape handling.
• Google Cloud Armor: No bypass was found, though the hackbot noted potential areas for future exploration.
• open-appsec: A bypass was discovered for the Critical configuration in under 30 seconds, with the hackbot adapting its payloads as necessary.

Implications and Recommendations

• WAF Limitations: Signature-based WAFs may fail to detect payloads split across parameters, necessitating more sophisticated parsing and analysis for effective defense.
• Machine Learning Caveats: While promising, ML-based WAFs can be compromised by adaptive attack bots learning from traffic patterns.
• Defense in Depth: WAFs should not replace secure coding practices, such as rigorous input validation and context-aware encoding.
• Automation Synergy: Combining manual and automated testing uncovers both novel techniques and simple bypasses, highlighting the need for continuous security assessments.

The discovery of parameter pollution vulnerabilities underscores the need for layered defenses and secure coding standards, especially in the face of increasingly sophisticated automated attacks.