In a recent autonomous penetration test, a novel cross-site scripting (XSS) bypass that sidesteps even highly restrictive Web Application Firewalls (WAFs).
Security researchers uncovered a ASP.NET application protected by a rigorously configured WAF. Conventional XSS payloads—breaking out of single-quoted JavaScript strings—were promptly blocked.
Yet by abusing HTTP parameter pollution, the team managed to split malicious code across multiple query parameters, weaving it into syntactically valid JavaScript that the WAF never detected.
Demonstrating exploitability when defensive controls actively prevent exploitation is a classic conundrum.
For this “PoC‖GTFO” scenario, the researchers needed to understand parsing disparities between the WAF, the ASP.NET parameter parser, and the browser’s JavaScript interpreter.
Building on past engagements, they recalled how ASP.NET’s HttpUtility.ParseQueryString() concatenates duplicate parameters with commas. That behavior turns a query like
text/?q=1'&q=alert(1)&q='2
into the string 1',alert(1),'2, which, when injected into
jsuserInput="…";
yields valid code:
jsuserInput="1",alert(1),'2';
Here, JavaScript’s comma operator executes alert(1) before returning the last value—perfectly functional yet invisible to signature-based pattern matching.
HTTP Parameter Pollution exploits inconsistent handling of duplicate parameters across frameworks. ASP.NET and classic ASP concatenate values with commas, while others (e.g., Golang, Python’s Zope) produce arrays.
By filtering for frameworks that include all values in output, the researchers focused on ASP.NET’s comma-concat behavior.
Splitting JavaScript code across multiple q parameters let them embed injections without ever matching a classic single-parameter XSS signature.
Testing Popular WAFs
Seventeen WAF configurations—spanning AWS WAF rule sets, Google Cloud Armor, Azure WAF, open-appsec, Cloudflare, Akamai, F5, FortiWeb, and NGINX App Protect—underwent testing with four payloads:
- Simple injection:
q=';alert(1), - Parameter pollution with semicolon.
- Parameter pollution with line breaks.
- Heuristic-based engine payloads.
Only Google Cloud Armor (ModSecurity rules), Azure WAF Default Rule Set 2.1, and all three open-appsec sensitivity levels blocked all three manual payloads.
AWS WAF’s Managed, Cyber Security Cloud, and F5 rule sets were bypassed every time. As payload complexity increased, bypass rates rose from 17.6% for the simple injection to 70.6% for the most advanced parameter pollution payload.
The researchers then unleashed their autonomous hackbot against the undefeated WAFs:
- Azure WAF: Discovered a bypass using an escaped backslash (
test\';alert(1);//), exploiting mismatched escape handling between the WAF’s pattern matching and JavaScript parsing. - Google Cloud Armor: Despite extensive efforts, no bypass was found. The hackbot did note that the server’s parameter parsing was case-insensitive, hinting at future exploration paths.
- open-appsec: In under 30 seconds, the hackbot found a bypass for the Critical configuration. It subsequently adapted when its initial payloads were blocked, switching from
alerttoconfirmand eventually generating payloads likeq='+new Function('a'+'lert(1)')()+'.
These results underscore the power of automation to complement manual testing—surfacing variations that human researchers might overlook.
Implications and Recommendations
- WAF Limitations: Traditional signature-based WAFs struggle to detect payloads split across parameters. Effective defense would require deep, framework-specific parsing and context-aware JavaScript analysis—impractical for most proxy-level solutions.
- Machine Learning Caveats: ML-based WAFs show promise, but can be rapidly subverted by adaptive attack bots once they begin to learn innocuous traffic patterns.
- Defense in Depth: WAFs must not be relied upon as a cure for insecure code. Rigorous input validation, context-aware encoding, and secure development practices remain essential.
- Automation Synergy: Combining human creativity with hackbot efficiency uncovers both novel techniques and simplistic bypasses, emphasizing the need for continuous, automated security assessments.
This rabbit hole of parameter pollution reveals that even the most sophisticated WAF configurations can be undone by subtle parsing mismatches. The rise of hackbots only amplifies the threat, driving home the importance of layered defenses and secure coding standards.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
