In this bypass, major Web Application Firewalls (WAFs) including Cloudflare, AWS WAF, Akamai, and Imperva inspect the raw HTTP request body to detect attack signatures. However, JSON parsers normalize escape sequences before passing the data to the application. This mismatch between WAF inspection and JSON parser behavior allows bypassing WAF protections by encoding malicious payloads as JSON escape sequences. The WAF sees the encoded form and fails to recognize the attack signature, while the application receives the decoded malicious input after JSON parsing. This technique can be leveraged to evade detection by several leading WAF products, affecting various vulnerabilities such as XSS, SQL injection, and RCE, depending on the payload used. Effective mitigation requires WAFs to understand JSON parsing behavior or to inspect post-parsing data, ensuring consistent detection of attacks regardless of encoding.
Original tweet: https://twitter.com/trace37_labs/status/2034753878374130089