Researchers at industrial cybersecurity firm Claroty devised an attack technique for bypassing the Web Application Firewalls (WAF) of several industry-leading vendors. The technique was discovered while conducting an unrelated experiment probing the Cambium Networks’ wireless device management platform. The researchers found they could append legitimate JSON queries to benign SQL code, allowing them to bypass the ability of WAFs to detect SQL injection attacks, and giving attackers the ability to gain direct access to back-end databases.
The core issue of this vulnerability was that in one particular case, the developers did not use a prepared statement to append user-supplied data to a query. Instead of using a safe method of appending user parameters into an SQL query and sanitizing the input, they simply appended it to the query directly.
The technique worked against most major relational databases, including PostgreSQL, Microsoft’s MSSQL, MySQL, and SQLite. The technique allowed to exfiltrate users’ session cookies, SSH keys, password hashes, tokens, and verification codes.
Read more about it here.