[SECURITY] Encoded requests (Content-Encoding) bypass WAF
Published 9 months ago
Published 9 months ago
Cycloctane
Updated 9 months ago
0
Content
SafeLine WAF does not implement HTTP Content-Encoding defined in rfc. This makes SafeLine vulnerable to protocol-level WAF evasion.
Details
According to rfc9110, Content-Encoding can be applied to both http requests and responses. Although it is less common in requests, many widely deployed application servers actually do support this by default (and not documented), like apache httpd with mod_deflate, nodejs, aiohttp.
However, SafeLine WAF is unable to decode and inspect encoded request bodies, which allows attackers to bypass WAF protection if the protected backend application is using above servers or web frameworks.
PoC
- Setup a simple expressjs web application and protect it with SafeLine.
- Send the encoded payload.
1echo "{\"sqli\": \"' or 1=1 --\"}" | gzip -f | curl --http1.1 -X POST --data-binary @- -H "Content-Encoding: gzip" -H "Content-Type: application/json" http://waf-protected.com
- SafeLine is unaware of the body content and forwards the request body and
Content-Encodingheader. Malicious request can be successfully forwarded and processed by expressjs.
Impact
SafeLine users who use WAF to protect nodejs-based web application (or any other web servers that support request content-encoding) are vulnerable to WAF evasion.