In a recent security engagement, a classic Cross-Site Scripting (XSS) vulnerability was successfully exploited despite the presence of a restrictive Web Application Firewall (WAF). The key technique used for bypassing the WAF is known as HTTP Parameter Pollution (HPP). HPP works by injecting multiple HTTP parameters with the same name, effectively splitting the malicious payload across these parameters to evade detection. This method allows attackers to confuse the WAF's filtering mechanisms, as the firewall often validates parameters individually or incorrectly processes multiple parameters with the same name. By carefully crafting the payload, it becomes possible to execute malicious JavaScript code on the target application without being blocked by the WAF. This approach was effective against multiple WAF products, showing that even restrictive WAFs can be vulnerable to advanced parameter manipulation techniques. Security teams should be aware of the HTTP Parameter Pollution technique and test their WAF configurations accordingly to ensure protection against such bypass methods.
Original tweet: https://twitter.com/ethiack/status/1952382336286568889