Saturday, 27 October 2018

Cloudflare WAF Bypass Vulnerability Discovered

Web Application Firewall, or WAF, serves as a primary defence against malicious attacks on web based products. However, like any other technology, WAF’s are also prone to security bugs. A researcher discovered an interesting bypass in the case of CloudFlare. Reportedly, he found a critical CloudFlare vulnerability that allegedly bypassed WAF protection, therefore making the websites vulnerable to cyber attacks. Fortunately, the bug has received a patch before disclosure. The researcher shared his findings in a blog post on Thursday. He also shared the POC in a video.

Open Source WAF Vulnerability Allowing Malicious SQL Codes

Recently, a researcher from cybersecurity firm Open Data Security discovered a serious problem with CloudFlare. As disclosed by the researcher Daniel Fariña Hernández, a CloudFlare vulnerability could disable the WAF leaving the websites vulnerable to malicious attacks.
Explaining about the reason behind his work, Farina stated,
“Like any other application, a WAF has vulnerabilities and if it fails, your application is exposed to attacks. “
To prove his speculation, he initially highlighted a serious vulnerability in the case of Nginx. He noticed that the open source WAFs referred herewith could not recognize requests with multiple parameters (around 100)
“Nginx is a web server that is responsible for processing web requests. It is a stable and versatile tool that allows developers to focus on the implementation of WAF through different scripts written in LUA. Most of these open source WAF’s have the same problem: they don’t take into account that the module responsible for the integration of LUA in Nginx (lua-nginx-module) doesn’t allow access to all the information of a request.”
Nonetheless, he also quoted the statement mentioned in the module documentation, that reads,
“Note that a maximum of 100 request arguments are parsed by default (including those with the same name) and that additional request arguments are silently discarded to guard against potential denial of service attacks.”
This shows that all the proactive security features of WAFs go in vain upon encountering requests having longer parameters.
“This means that no matter how effective a WAF is in detecting attacks, there is certain data that is invisible to its analysis. If the parameters that contain malicious data are outside the scope to which the WAF has access, it will be totally unusable.”
Below is his video demonstrating LUA-Nginx WAFs Bypass already well-documented.

CloudFlare Vulnerability Disabled WAF

According to the researcher, he found a similar vulnerability in the case of CloudFlare. He observed that CloudFlare too did not detect any malicious requests carrying more parameters. Below is his demonstration of CloudFlare vulnerability.

He also noticed the same bug affecting Cloudbric as well. However, exploiting this bug in the latter case may require changing the value of some parameters in the request.
The researcher found this vulnerability while testing ODS’s Wolf-Ray WAF. He also explained that they have notified the companies of this vulnerability before disclosure.
Take your time to comment on this article.

No comments:

Post a Comment