SQL injection is a well-known attack vector that has been used by hackers for decades to compromise databases and exfiltrate sensitive information. One of the primary countermeasures against SQL injection attacks is the use of Web Application Firewalls (WAFs). However, researchers from the cybersecurity firm Claroty have recently discovered a new technique that allows hackers to bypass WAFs and perform SQL injection attacks by using JSON payloads.
JSON (JavaScript Object Notation) is a data interchange format widely used by web applications and web APIs to exchange data between systems. It is a lightweight format that is easy for humans to read and write and for machines to parse and generate. However, the widespread adoption of JSON has also made it a prime target for attackers who aim to exploit vulnerabilities in web applications.
One of the most effective ways to prevent SQL injection is to use a web application firewall (WAF) that can inspect and filter incoming web requests. WAFs can detect and block SQL injection attacks by analyzing the input parameters of web requests and comparing them to known attack patterns. However, recent research has shown that attackers can use JSON to bypass WAFs and execute SQL injection attacks undetected.
The problem arises because WAF vendors have been slow to implement support for JSON in their products. While most modern database engines have added support for JSON in their SQL syntax, WAFs have not kept pace. Attackers can take advantage of this gap by crafting SQL statements that use JSON syntax in a way that the WAF does not recognize as malicious.
The problem with WAFs and JSON
About 10 years ago, major database engines began supporting JSON (JavaScript Object Notation) as a format for data exchange. JSON is widely used in web applications and APIs, and it allows developers to directly use JSON data in SQL operations without any additional processing or modification. However, while major database engines have enabled JSON support, many WAF providers have not yet caught up, as they may still consider this feature to be new and relatively unknown.
According to Claroty’s researchers, WAFs may be vulnerable to attacks because they may not recognize SQL queries that are constructed using JSON syntax. If the hackers can provide a SQL payload that is written using a less common JSON syntax, the WAF may fail to detect the attack as malicious, allowing the payload to pass through and be executed by the database engine.
Testing the vulnerability of WAFs
The researchers tested several major WAF providers and confirmed that their suspicions were correct: it was possible to use JSON syntax to bypass SQLi defenses with only minor modifications across different vendors. They reported the issue to the vendors who were found to be vulnerable and also shared their technique with the SQLMap project, an open-source penetration testing tool that automates SQL injection attacks.
Researchers from the security firm Claroty discovered the vulnerability and demonstrated it in a proof-of-concept exploit against the AWS WAF. They found that by using a less common JSON syntax in their SQL statements, they could evade detection by the WAF and execute their malicious code. Subsequent tests against WAFs from other vendors revealed that the vulnerability was not limited to AWS and that the technique could be used against multiple WAFs with only minor modifications.
The implications of this vulnerability are significant, and it highlights the importance of prioritizing vulnerabilities in risk-based vulnerability management. Risk-based vulnerability management is a framework for assessing and managing vulnerabilities based on their potential impact on the business. By using risk-based vulnerability management, organizations can prioritize their efforts and focus on the most critical vulnerabilities first.
The implications for risk-based vulnerability management
The discovery of this vulnerability has significant implications for risk-based vulnerability management. Vulnerability remediation prioritization is essential to address high-risk vulnerabilities in a timely manner, as attackers often exploit known vulnerabilities to gain access to a system. However, if a WAF can be bypassed using a technique like the one described by Claroty, it means that vulnerabilities previously considered low-risk may now have become high-risk.
Prioritizing vulnerabilities is crucial because organizations often face limited resources and cannot remediate all vulnerabilities at once. By prioritizing vulnerabilities based on their risk, organizations can make informed decisions about which vulnerabilities to remediate first and which ones to accept the risk of. Without a risk-based approach, organizations may waste resources on low-risk vulnerabilities while neglecting critical ones that pose a severe threat to the business.
The recent SQL injection via JSON vulnerability is an example of why prioritizing vulnerabilities is essential. While WAFs are a valuable tool for preventing SQL injection attacks, they are not foolproof, and attackers are always looking for ways to bypass them. As a result, organizations must take a risk-based approach to vulnerability management and prioritize vulnerabilities based on their potential impact on the business.
Conclusion
In conclusion, the use of JSON to bypass WAFs and perform SQL injection attacks highlights the importance of constantly testing and updating security measures to ensure they are up-to-date and effective. It also emphasizes the need for organizations to prioritize vulnerabilities based on their risk level and regularly assess whether their security measures are effective in mitigating known attack vectors. By prioritizing vulnerabilities and implementing effective security measures, organizations can reduce their exposure to SQL injection attacks and other security threats.
