This bypass technique targets SQL Injection (SQLi) vulnerabilities by using JSON-based payloads to evade Web Application Firewall (WAF) detection. Traditional WAFs often block common SQLi payloads found in query parameters because they are well-known vectors. However, when the application accepts input in JSON format, the WAF might not thoroughly inspect this input. In this approach, the attacker sends a JSON body like {"user":"admin' OR 1=1–"}, which contains a classic SQLi pattern but inside the JSON structure. Since the WAF does not deeply analyze the JSON content, the payload passes through to the backend application where it triggers the SQL Injection vulnerability. This bypass is effective because it leverages the WAF’s limited ability to inspect JSON bodies, allowing stealth injection through JSON inputs.
For more details, check out the original tweet here: https://twitter.com/NullSecurityX/status/1935974146174820392