Radware Cloud Web App Firewall Flaw Allows Attackers to Bypass Security Filters
Security researchers have uncovered two critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that enable attackers to bypass security filters and deliver malicious payloads to protected web applications.
These flaws, designated CVE-2024-56523 and CVE-2024-56524, highlight systemic weaknesses in how the WAF processes non-standard HTTP requests and user-supplied input containing special characters.
The vulnerabilities, disclosed on May 7, 2025, remain unacknowledged by Radware despite evidence of potential fixes in recent updates.
The first vulnerability (CVE-2024-56523) exploits the WAF’s failure to properly validate HTTP GET requests containing extraneous data in the request body.
While the HTTP/1.1 specification permits bodies in GET requests, most web servers ignore them, creating a discrepancy between how the WAF and backend systems process such inputs.
Attackers can append randomized data-such as arbitrary parameters or encoded payloads-to the body of a GET request.
This “noise” confuses the WAF’s parsing logic, allowing malicious content to slip through undetected.
For example, a SQL injection payload hidden within a GET body padded with Base64-encoded junk data could evade signature-based detection rules.
This technique bypasses protections for over 70% of tested security policies in Radware’s default configuration.
The exploit requires no advanced tools, as demonstrated by a proof-of-concept curl command:
bashcurl -X GET "https://target.com/search?q=test" -d "junk=data&malicious=payload"
This anomaly underscores the risks of strictly protocol-compliant but logically inconsistent traffic handling in security appliances.
Special Character Handling Flaws
The second vulnerability (CVE-2024-56524) stems from improper input sanitization when processing requests containing non-alphanumeric characters.
Researchers found that adding symbols like ~, ^, or Unicode control characters to parameter values disrupts the WAF’s tokenization process.
A case study involving XSS payloads revealed that inserting %0d%0a (URL-encoded carriage return and line feed) before a tag caused the WAF to misidentify the input boundary, permitting the script to execute.
This vulnerability affects all input vectors, including headers, cookies, and POST form data.
Attackers can chain this bypass with other evasion techniques, such as case manipulation or obfuscated encodings, to maximize payload delivery success rates.
Notably, these flaws persist despite modern WAFs employing machine learning models for anomaly detection.
The Radware system’s rule engine appears to prioritize speed over comprehensive syntax analysis, creating blind spots in edge-case scenarios.
Ecosystem Impact and Mitigation Challenges
The combined risks of these vulnerabilities extend beyond individual organizations to the broader cloud security ecosystem.
Radware’s WAF protects over 15,000 enterprise applications globally, including critical infrastructure sectors like finance and healthcare.
Successful bypasses could enable large-scale data breaches, ransomware deployments, or API integrity compromises.
While researchers observed patches in recent firmware updates (v3.2.1+), Radware has not formally acknowledged the vulnerabilities or released advisories.
This silence complicates mitigation efforts, leaving customers reliant on third-party disclosures for threat intelligence. Security teams are advised to:
- Monitor for abnormal GET requests with bodies
- Implement secondary input validation layers at the application level
- Audit logs for parameter values containing
~,^, or Unicode control points
Researcher Oriol Gegundez, who discovered the flaws, emphasized that “WAFs cannot be treated as monolithic shields-their effectiveness depends on continuous tuning and adversarial testing.
As cloud-native architectures proliferate, these findings underscore the urgent need for defense-in-depth strategies combining automated protection with human expertise.
Until then, organizations must assume their WAFs have blind spots and plan defenses accordingly.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
