Saturday, July 20, 2024

Imperva Web Application Firewall Flaw Let Attackers Bypass WAF Rules

Imperva SecureSphere WAF, a security tool for on-premise web applications, has a vulnerability in some versions that allows attackers to bypass filters when inspecting POST data. 

By sneaking malicious content past the WAF, attackers could potentially exploit security flaws in the protected web applications that the WAF would normally block, which compromises the security of the web applications shielded by the WAF. 

A critical vulnerability (CVE-2023-50969) exists in Imperva SecureSphere WAF versions that lack the update referenced in the  “Fixed Version(s)” section, allowing attackers to bypass WAF rules designed to inspect POST data, potentially enabling the exploitation of vulnerabilities in protected applications that the WAF would normally block. 

The attacker doesn’t need to authenticate and can exploit the vulnerability remotely, while it is rated critical due to the high severity of bypassing security controls. 

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Technical Details Of The Vulnerability:

The code snippet demonstrates a PHP webshell vulnerability named clam.php, which creates a form that allows users to submit arbitrary commands through a text input field. 

Code snippet

When the form is submitted, the `system` function is used to execute the submitted command on the server, posing a security risk because it allows attackers to remotely execute arbitrary code on the server, potentially compromising the system.

The lack of proper input validation and sanitization in the code allows for the injection of malicious code through user input, which an attacker could use to upload malicious files, steal sensitive data, or deface the website.

A security vulnerability exists where a system command can be executed through a POST request with a specific parameter, where standard WAF rules typically block such attempts (e.g., reading password files). 

Attempts blocked by a standard WAF rule

By manipulating the Content-Encoding header, one can get around the rules by tricking the WAF into misinterpreting the data and allowing the malicious command to run. 

Result after modifying request

A specific WAF rule vulnerability allows attackers to bypass security by sending a malformed HTTP request with a double Content-Encoding header (“No Kill No Beep Beep” and “deflate”) followed by a throwaway parameter before the actual malicious data. 

According to the Hoya Haxa, a vulnerability was reported to Imperva on November 10th, 2023, and an update to address this vulnerability was released through Imperva’s ADC rules on February 26th, 2024, whereas  details regarding the vulnerability and the remediation process were publicly disclosed in a blog post on March 27th, 2024.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles