WAF Bypass: The Ultimate Guide to Securing Your Web Apps
Vulnerability Analysis

WAF Bypass: The Ultimate Guide to Securing Your Web Apps

Claroty’s Team82 develops generic bypass of WAF, calls for review of JSON support across organizations

Discover how Claroty's Team82 exposed a WAF bypass vulnerability and learn essential steps to secure your web applications against SQL injection attacks.

Web application firewalls (WAFs) are a critical line of defense for modern web applications, but recent research from Claroty's Team82 has exposed a significant vulnerability known as WAF bypass. By appending JSON syntax to SQL injection payloads, researchers were able to bypass WAFs from major vendors, including Palo Alto Networks, AWS, Cloudflare, F5, and Imperva. This discovery underscores the importance of continuous vigilance and comprehensive security measures to protect against evolving attack techniques. All affected vendors have since updated their products, but organizations must take proactive steps to review their WAF configurations and ensure robust JSON support.

Introduction

Web application firewalls (WAFs) are designed to protect web applications from a variety of attacks, including SQL injection (SQLi). SQL injection, a persistent high-risk vulnerability listed in the OWASP Top 10 [ Overview of the Bypass - WAF Bypass: The Ultimate Guide to Securing Your Web Apps y-waf-bypass/" target="_blank" rel="noopener">Check Point Blog], occurs when attackers insert malicious SQL code into input fields to manipulate backend databases. This can lead to data exfiltration, unauthorized access, or complete system compromise. However, a recent discovery by Claroty's Team82 has revealed a generic bypass technique that exploits weaknesses in how many WAFs handle JSON syntax within SQL injection payloads. This bypass affected several major WAF vendors, highlighting a critical gap in web application security.

Overview of the Bypass

The bypass developed by Claroty Team82 involves appending JSON syntax to SQL injection payloads. According to Claroty Team82 Research, the technique uses operators like '@<' which are valid for databases but were not correctly parsed by the affected WAFs. This allowed malicious SQL code to slip through undetected. The research stemmed from an investigation into Cambium Networks' platform and was responsibly disclosed to the affected vendors. The Claroty Team82 researcher, Moshe, stated, "The fact we managed to bypass so many big WAF products, with limited if any changes to our payload meant we had a generic WAF bypass on our hands" [Industrial Cyber]. The team also integrated the bypass into the SQLMap tool for demonstration purposes [Claroty Team82 Research].

Technical Details

  • The bypass leverages the fact that many database engines have supported JSON for over a decade, while WAFs have lagged in adding JSON parsing capabilities for SQLi detection [Claroty Team82 Research].
  • The technique appends JSON syntax (e.g., '@<' operator) to SQLi payloads, which are valid for databases but unparsed by affected WAFs [Claroty Team82 Research].
  • This allows attackers to inject malicious SQL code that bypasses the WAF's security measures [SecurityWeek].

Impacted Vendors

The Claroty Team82's research identified that the WAFs of five major vendors were vulnerable to this bypass technique [Claroty Team82 Research]:

All five vendors were notified of the vulnerability and have since released updates to address the issue [Industrial Cyber]. However, the incident highlights the potential for significant security breaches if WAFs are not properly configured to handle modern data formats like JSON.

Responses from Other Vendors

While the five vendors listed above were directly impacted, other vendors have also commented on the issue:

  • Check Point claimed that its CloudGuard AppSec was able to block the JSON-based bypass without requiring any updates, due to its machine learning-based anomaly detection capabilities [Check Point Blog].
  • Fortinet issued an alert confirming that its FortiWeb product was also protected against the bypass technique through its machine learning anomaly detection [Fortinet].

Recommendations for Organizations

In light of the Claroty Team82's findings, organizations should take the following steps to ensure their web applications are protected against WAF bypass:

  1. Review WAF Configuration: Organizations should review their WAF configurations to ensure they are properly parsing JSON payloads and detecting SQL injection attempts within JSON data [Claroty Team82 Research].
  2. Update WAF Software: Ensure that the WAF software is up to date with the latest security patches from the vendor [Industrial Cyber].
  3. Implement Advanced Detection Methods: Consider implementing advanced detection methods, such as machine learning-based anomaly detection, to identify and block malicious traffic that may bypass traditional signature-based WAFs [Check Point Blog, Fortinet].
  4. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address potential vulnerabilities in web applications and WAF configurations [Claroty Team82 Research].
  5. Stay Informed: Stay informed about the latest security threats and vulnerabilities by following security blogs, news outlets, and vendor advisories [Industrial Cyber].

According to SecurityWeek, Claroty Team82 stated that attackers could use this technique to access a backend database and exfiltrate information via direct server access or over the cloud.

Conclusion

The generic WAF bypass discovered by Claroty Team82 highlights the ongoing challenges in web application security. While WAFs are an essential security tool, they are not foolproof and must be continuously updated and configured to address evolving attack techniques. By taking proactive steps to review WAF configurations, implement advanced detection methods, and stay informed about the latest security threats, organizations can significantly reduce their risk of falling victim to SQL injection and other web application attacks. As TechTarget reported, Claroty Team82 noted that vendors have been slow to add JSON support, which allowed them to craft new SQL injection payloads that include JSON that bypassed the security WAFs provide. The incident serves as a reminder that a layered security approach, combined with continuous monitoring and vigilance, is crucial for protecting web applications and sensitive data.

Key Takeaways

  • WAF bypass vulnerabilities can expose critical data and systems to attacks.
  • Organizations must ensure their WAFs are configured to handle JSON payloads effectively.
  • Regular updates and security audits are essential for maintaining robust web application security.

FAQ

What is WAF bypass?

WAF bypass refers to techniques that allow attackers to circumvent web application firewalls, potentially leading to unauthorized access or data breaches.

How can organizations prevent WAF bypass?

Organizations can prevent WAF bypass by regularly updating their WAF configurations, implementing advanced detection methods, and conducting security audits.

Why is JSON support important for WAFs?

JSON support is crucial for WAFs because many modern applications use JSON for data exchange, and without proper parsing, WAFs may fail to detect malicious payloads.

Related: Claroty | Palo Alto Networks | Amazon Web Services (AWS) | Cloudflare | F5

Sources

  1. Automated Pipeline
  2. Claroty unveils web application firewall bypassing technique
  3. WAFs of Several Major Vendors Bypassed With Generic Attack Method
  4. Check Point CloudGuard AppSec is the only product known to pre-emptively block Claroty WAF bypass
  5. Generic Web Application Firewall (WAF) Security Bypass - Fortinet
  6. {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
  7. Source: openlamptech.substack.com
  8. Source: grc.com

Tags

WAFSQL InjectionCybersecurityVulnerabilityClarotyTeam82JSONBypass

Originally published on Claroty’s Team82 develops generic bypass of WAF, calls for review of JSON support across organizations

Related Articles

OWASP Top 10 2025: Key Updates for Python Security

The OWASP Top 10 list has been updated for 2025, highlighting critical web application security risks. This article breaks down the key changes, including new threats like supply chain attacks and exceptional condition handling, with practical advice for Python developers to enhance their applica...