Researchers Bypassed Web Application Firewall With JS Injection with Parameter Pollution

Cybersecurity researchers have demonstrated a sophisticated technique for bypassing Web Application Firewalls (WAFs) using JavaScript injection combined with HTTP parameter pollution, exposing critical vulnerabilities in modern web security infrastructure.

The research, conducted during an autonomous penetration test, revealed how attackers can exploit parsing differences between WAF engines and web application frameworks to execute malicious code despite strict security configurations.

The vulnerability emerged during testing of an ASP.NET application protected by a highly restrictive WAF.

While the underlying Cross-Site Scripting (XSS) vulnerability was straightforward, involving breaking out of a JavaScript string delimited by single quotes, conventional XSS payloads were effectively blocked by the security system.

This scenario presented researchers with a classic challenge: demonstrating exploitability when defensive mechanisms actively prevent traditional exploitation methods.

The breakthrough came through understanding ASP.NET’s unique parameter handling behavior. When multiple HTTP parameters share the same name, ASP.NET concatenates their values using commas through the HttpUtility.ParseQueryString() method.

This documented Microsoft behavior states that “multiple occurrences of the same query string parameter are listed as a single entry with a comma separating each value.”

Ethiack analysts identified this parsing discrepancy as the key to bypassing WAF detection while maintaining valid JavaScript execution.

The attack leverages JavaScript’s comma operator, which allows multiple expressions to execute sequentially within a single statement.

By distributing malicious code across multiple parameters, researchers could construct payloads that appear benign individually but combine to form executable JavaScript.

For instance, the query string /?q=1'&q=alert(1)&q='2 becomes 1',alert(1),'2 after ASP.NET processing, creating syntactically valid JavaScript that executes the alert function when inserted into vulnerable contexts.

Technical Analysis and WAF Evasion Mechanisms

The research methodology involved testing 17 different WAF configurations across major cloud providers and security vendors, revealing significant disparities in detection capabilities.

The testing employed three distinct payload types, each demonstrating increasing sophistication in evasion techniques.

Framework parameter pollution behavior:-

The most revealing finding emerged from payload complexity analysis. Simple injection attempts achieved only a 17.6% bypass rate against tested WAFs, while sophisticated parameter pollution techniques reached 70.6% success rates.

The research identified three primary reasons for WAF vulnerability: individual parameter analysis without relationship understanding, lack of framework-specific parsing simulation, and reliance on traditional XSS signatures that miss functionally equivalent but structurally different payloads.

Payload effectiveness analysis:-

Autonomous testing systems demonstrated remarkable adaptability, discovering previously unknown bypasses for supposedly secure configurations.

Notably, Azure WAF was defeated using the payload test\';alert(1);//, which exploits parsing discrepancies in escaped character handling between WAF pattern matching and JavaScript interpretation.

The research underscores the critical need for WAFs to implement framework-specific parsing logic and context-aware analysis capabilities, though such enhancements would significantly impact performance in production environments.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.