SQL Injection Using JSON

Security researchers have developed a generic SQL injection technique that bypasses multiple web application firewalls (WAFs). Allowing potential attackers to easily hide their malicious payloads.  Since the vendors are failing to add support for JSON inside SQL statements,

This bypass technique was confirmed to work against WAFs from Palo Alto Networks, AWS, Cloudflare, F5, and Imperva. These vendors have released patches, so customers should update their WAF deployments.

Using this technique, attackers could access a backend database and use additional vulnerabilities and exploits to exfiltrate information via either direct access to the server or over the cloud.

This attack technique was developed by the  researchers while investigating vulnerabilities they found in a wireless device management platform from Cambium Networks called cnMaestro that can be deployed on premises and in the cloud.

Nearly seven vulnerabilities in cnMaestro were identified including a SQL injection flaw that allowed them to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes from the server database.

Researchers developed exploit worked in the on-premises instances of cnMaestro but testing the cloud instance is failed due to block from AWS. To investigate further researchers created their own vulnerable application hosted on AWS and sent malicious requests to it. Their conclusion was that the WAF uses two primary methodologies for identifying SQL syntax: searching for specific words in the request that it recognizes as part of SQL syntax and attempting to parse different parts of the request as valid SQL syntax.

JSON is a data formatting and exchange standard capability that’s widely used by web applications and web APIs when talking to each other.  PostgreSQL added this capability back in 2012, with other major database engines following over the years: MySQL in 2015, MSSQL in 2016 and SQLite in 2022. Today all these engines have JSON support turned on by default. However, WAF vendors did not follow suit, probably because they still considered this feature as being new and not well known.

As per the researchers, if a SQLi payload supplied to the WAF and it  will not recognize as valid SQL, but the database engine will parse it,  JSON was exactly this mismatch between the WAF’s parser and the database engine. When we passed valid SQL statements that used less prevalent JSON syntax, the WAF did not flag the request as malicious.

After confirming that the AWS WAF firewall was vulnerable, they identified same weakness in other major WAF providers.

The researchers reported the issue to the vendors they found vulnerable but also contributed their technique to ​​SQLMap, an open-source penetration testing tool that automates SQL injection attacks. This means the bypass technique is now publicly available and can be used by anyone.

This research was documented by researchers from Claroty Team82.