CloudGuard AppSec is the only product known to pre-emptively block Claroty WAF bypass

yuvalmamka — Sun, 11 Dec 2022 14:39:48 GMT

This article originally posted by Oded Gonda, on open-appsec website here.

Claroty Team82 has developed a generic bypass for industry-leading web application firewalls (WAF). The bypass technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse. It is explained in a detailed blog that was published on December 8th, 2022.

As part of a responsible disclosure process for vulnerabilities, Claroty approached our team with findings of the new bypass technique. Looking at the attack payloads we thought that open-appsec/CloudGuard AppSec ML-engine would block the attack based on the vast training data we use. To validate, we tested it on the same day and indeed it blocked the attack pre-emptively! We sent the product logs to the Claroty team and they confirmed “Thanks for the update. Kudos to the AppSec Team”.

You can read more about the WAF bypass technique in Claroty’s detailed blog. It explains the details of this new bypass vector and how they found that AWS WAF as well as other major WAFs were vulnerable to it:

Source: Claroty Team82 Blog

Attack Details

SQL Injection is one of the most well-known attack vectors and has been part of OWASP-Top-10 list for years. As such all WAF solutions are able to detect it. The innovation in Claroty’s bypass involved adding JSON to SQL syntax which rendered most WAFs blind to the attacks.

JSON in SQL has been supported by leading databases for many years, including Microsoft SQL Server, MySQL, SQLite, PostgresSQL and others.

Claroty team was able to craft expressions that allowed to get a true statements in SQL:

Source: Claroty Team82 Blog

They found that operands used in these queries render major WAF solutions blind to the SQL injection. At this time the five vendors fixed their code, but Claroty believes that other vendors may be vulnerable as well.

Summary

Preemptive protection against cyber attacks is critical because vulnerabilities may have been known by bad actors before publication and because it naturally takes time for everyone to fix them, also known as “vulnerability window”. These windows can sometimes be as long as months and years.

CloudGuard AppSec’s unique machine learning which is based on two models (off-line/supervised and on-line/unsupervised) sets it apart from other WAF solutions, enabling it to offer first-class security with minimal configuration or maintenance, but most importantly once and again it proves to be pre-emptive, that means blocking zero day attacks with default product settings and no software updates required.

This was proven several times in the last year for the well-known Log4Shell, Spring4Shell and Text4Shell zero day attacks and now also with Claroty's WAF bypass.

For additional information about this attack and what is emptively block, you can read the full article here.

Re: CloudGuard AppSec is the only product known to pre-emptively block Claroty WAF bypass

Blason_R — Mon, 12 Dec 2022 03:36:02 GMT

Thanks @yuvalmamka that's a wonderful explanation. I am the one who has implemented Appsec when it was pretty new and running in production with around 18 portals.

topic Re: CloudGuard AppSec is the only product known to pre-emptively block Claroty WAF bypass in WAF

CloudGuard AppSec is the only product known to pre-emptively block Claroty WAF bypass

Attack Details

Summary

Re: CloudGuard AppSec is the only product known to pre-emptively block Claroty WAF bypass