This tweet describes a bypass method targeting a new generation Web Application Firewall (WAF) that uses Artificial Intelligence (AI), regular expressions (regex), and Machine Learning (ML) to block a wide range of attacks such as command injection, deserialization attacks, and Server Side Request Forgery (SSRF). However, the WAF had a classical blind spot in handling polyglot payloads. Polyglots are specially crafted payloads that can be interpreted in multiple ways by different parsers or interpreters. The author created a polyglot payload that exploits this weakness, specifically in the JSON parser on the frontend. This bypass technique is versatile and may be applicable to many types of vulnerabilities since polyglots can carry different attack vectors. The WAF, despite its advanced detection capabilities, was unable to detect this complex polyglot payload, highlighting the challenge of securing applications against such multi-context attack vectors. This example underscores the importance of robust multi-layered security controls and the evolving nature of attack techniques in cybersecurity.
Original tweet: https://twitter.com/CharlessQuinn/status/2037911190865637743