Root Causes 268: WAFs Subverted by JSON Bypass

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  I have a news article up here we wanted to talk about. This is from December 12 I believe. It is December 12. This is a Dark Reading article. The headline reads: Popular WAFs Subverted by JSON Bypass. This is by Robert Lemos. December 12. Dark Reading. You can look it up on your own later but, Jason, what does this article say?

• 

  Jason Soroko

  What this article says is that monitoring is hard. That’s really what it says. And what kind of monitoring are we talking about? We are talking about WAFs. Web Application Firewalls. And, Tim, it is an important subject to this podcast because browsing the web and protecting web assets is a big chunk of what happens in our world and so you write and you configure Web Application Firewalls to make sure that bad guys can’t get to ports that they shouldn’t get to and can’t send malicious commands that they shouldn’t be able to. The WAFs have a whole pile of configurations within them to stop bad things. That’s an incredibly gigantic over simplification.

  So, Web Application Firewalls can be in everything from your big cloud providers and your CDN – so things like AWS, Cloudflare and then, of course even some of your on-prem stuff like F5, other names like Imperva Palo Alto. So all these big, big security players, infrastructure players will include WAFs in one way, shape, or form or the other.

  So, WAFs have been around a long time but what some people have figured out is that when you are talking to a database in behind the WAF, there can be commands that you are issuing to the database using languages and markup languages that the database understands but that Web Application Firewalls don’t seem to have caught up to yet in terms of understanding malicious vs. legitimate context.

• 

  Tim Callan

  Ok. So there needs to be an opportunity to issue these commands. I guess in this case JSON commands but they could be structured to do something malicious and the WAF doesn’t have the logic to detect that. Is that right?

• 

  Jason Soroko

  That is correct. Just think about it’s a format in which you can put both data and commands into a textable package that can be sent over the internet, goes through the WAF, is received by the database and then the database will do something with this.

  And so therefore, it’s a complex message in that it contains both commands and data and I think what’s happening for the most part is that these Web Application Firewalls are like, oh, well this is a JSON formatted package so, I don’t really know what’s going on in this package so I’m just gonna let it through. And so there’s all kinds of other commands that are sent where it’s scrutinized heavily by the WAF and anything that’s in JSON doesn’t seem to be as scrutinized and therefore a lot of what you would call WAF bypass to do malicious things or unexpected things is possible by packaging into these JSON formatted text strings. So therefore, it’s not gonna affect a website that doesn’t have a database that accepts JSON, so therefore, you’re safe if you are not doing that. The problem though is that a lot of modern web setups now have some sort of data structure in the backend that is accepting JSON. So therefore, this is a really good reminder and isn’t it funny, Tim, how these kinds of articles come out just before the holiday season when people really don’t want to be doing this kind of work.

• 

  Tim Callan

  Worst time to be doing this kind of thing. Exactly.

• 

  Jason Soroko

  Worst time. But I would say this. If you have a website that happens to have a database in the backend and you are not using JSON at all but it is still configured to accept JSON, I would say flip the switch and turn it off.

• 

  Tim Callan

  Sure. So you can’t just say, oh, we aren’t using JSON. This doesn’t apply to me. You have to ask yourself is your WAF configured to accept JSON because that’s how the hole gets opened. That’s a very good point.

• 

  Jason Soroko

  Does your database accept JSON configured messages? If so, and you are not using that feature, turn it off. And at the WAF level, I’m pretty sure after this research has come out a lot of these big players that are very, very mature security players that are very sensitive to these things - I haven’t done the homework yet to figure out what’s available to you but I’m betting if you do an internet search or you talk to your vendor, they have some kind of a response to this. Either now or they will at some point in the near future. It would be a really good idea to figure out what kind of updates they have to the WAF and ways that you can maybe reconfigure your WAF. Just be really aware of your environments, especially if you’ve got a database in the backend doing something.

• 

  Tim Callan

  So this is new awareness. The reason we are talking about this now, presumably this exploit has existed previously. Possibly for a long time. The reason we are talking about this now is this is where it’s come to light. Is that correct?

• 

  Jason Soroko

  It’s come to light. It’s funny how it’s one of these things that you think, oh geez, why wasn’t this talked about a long time ago. It probably was in smaller circles but I think now it has become a big enough problem where a Dark Reading, for example, tech journalism on security would bring it up as a topic as a whole and give some awareness to it. And that’s what we are doing here as well because we have a lot of listeners to this podcast that play in the web server space and this kind of technology is right up your alley.

• 

  Tim Callan

  And to your point, if this is on the upswing, these providers – you said names like Cloudflare and Palo Alto Networks and Imperva, AWS. These are well-resourced organizations that are really trying to be as bulletproof as they possibly can. So you’ve got to imagine that they would take something like that seriously. Especially if it’s an emerging threat and give whatever response they are able to give.

• 

  Jason Soroko

  It looks like the researcher – I’m just going down to the final, final paragraph here, Tim. This is maybe the best way to end this is exactly what I just said. It looks like five out of those vendors, at least at this point that I’ve referred to, have now added JSON syntax support into their products. I don’t know how mature it is but it is something where I know none of you need Christmas homework, but there it is.

• 

  Tim Callan

  And you could imagine that, too. You could imagine we have JSON syntax support and then the bad guys are gonna try and figure out how to write something that’s gonna fool us and then we are gonna figure out how to catch that and the bad guys are gonna write something else to fool us and we are gonna get into that whole arm’s race. You could certainly see that as how this progresses from here.

• 

  Jason Soroko

  Which is a major change in the way things typically have been done. I suspect a lot of people who set up their WAFs configure it and forget about it. And what we are finding out here is, nah, I think WAFs are something you need to revisit periodically and this JSON syntax support may be a perfect way for you to go in and maybe rereview all of your configurations including the syntax support.

• 

  Tim Callan

  There you go. So maybe that’s a great place to leave it. That’s some good advice. If you are listening to this and you are responsible for the WAF or who is or it’s adjacent to your department, it’s good to think about that question and make sure that you are using that tool in the best way you are able to today.