Researchers reported this week that they found a bug in MySQL that left AWS Web Application Firewall (WAF) customers exposed to an SQL injection.
In a blog post, GoSecure’s ethical hackers also confirmed that upon further testing, ModSecurity, a popular WAF for Apache and nginx, were also exposed to an SQL injection.
The researchers said the bug, which they trace back to a Black Hat presentation in 2013, was fixed by AWS on Oct. 1, with public disclosure coming on Wednesday.
Attackers frequently use WAF bypass techniques to evade detection in organizations with WAFs, said Michael Isbitski, technical evangelist at Salt Security. Isbitski said security researchers don’t need to dig deep to realize that WAFs work by comparing application and API traffic (per transaction) against pre-defined rules or filters. If there’s no matching rule, a given request that may be malicious can pass through freely: it’s often referred to as a negative security approach since researchers are looking for “known-bad” requests or patterns.
“For organizations that build or integrate custom applications and APIs, WAFs provide little to no protection,” Isbitski said. “In many cases, WAFs generate a large number of false positives, which wastes cycles of IT teams that must triage alerts to know if an application or API flaw is truly being exploited. This reality often leads organizations to put a WAF in passive or reporting-only mode, so it doesn’t actively block requests whether they be malicious or legitimate.”
SQL injection vulnerabilities are one of the most commonly targeted security issues — especially given that the contents of a database are often the holy grail for an attacker, said Yehuda Rosen, senior software engineer at nVisium. Rosen said if a WAF — particularly one as widely used as Amazon’s WAF — isn’t blocking SQL injections, then it’s almost as bad as not having a WAF at all.
“Since it’s a third-party product, there isn’t much that users could do about it other than audit access logs, as well as do their best to secure their own application code,” Rosen said.
Zach Jones, senior director of detection research at NTT Application Security, said this evasion technique offers a great example — among hundreds — of why organizations need to conduct robust security testing of the underlying application and never rely on a WAF for long-term mitigation of an underlying application flaw. Jones said skilled attackers and security researchers have a long history of discovering workarounds to restore the exploitability of underlying flaws in the presence of an external security control.
“Perhaps external mitigations will prevent the underlying flaw from being discovered and exploited today, but speaking from two decades of application security testing experience, we know that ‘tomorrow’ is a different story,” Jones said. “If your application is not vulnerable to SQL injection in the first place, then this bypass technique would represent zero risk. However, if the underlying application contains these sorts of coding errors, i.e. lack of query parameterization and you were relying on the protection of the AWS WAF (or possibly others), then attackers could have been exploiting your application flying under your level of visibility.”
Caleb Stewart, security researcher at Huntress, said the ability to bypass the protections provided by a WAF has the potential to have major impact. WAFs can hide real bugs in production software by blocking requests before they get to the protected application, so a bypass of the WAF logic could lead to the discovery of new bugs in common web applications.
“With a reliable bypass, the results could be disastrous, but relies on an underlying application bug coupled with this new WAF bypass technique,” Stewart said. “As always, preventative measures like WAFs should not be your only protection. Code and network audits are important to identify internal bugs before they are exploited in the wild.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, added that vulnerabilities around the use of SQL injection are relatively common, dating back more than 10 years. Everette said testing for SQL injection vulnerabilities is a fundamental best practice for pre-code production release testing and remains essential.
“Companies need to step up vulnerability scanning and internal pen testing to identify these risks before malicious actors do,” said Everette. “Vulnerabilities in software are unfortunately widespread and should be expected. No code is 100% secure. As such, the best practice is still to have layered security solutions in place to monitor for abnormal traffic and behavior. Having a prevention-first mindset is critical.”
