This tweet describes a SQL Injection (SQLi) bypass technique targeting Web Application Firewalls (WAFs). The technique involves injecting "=0')));" to close the original SQL query prematurely. After that, it introduces a delay of 5 seconds using the SQL SLEEP(5) function, effectively causing a time-based SQL Injection. Additionally, the attacker places comments within the SQL query string to evade basic or naive WAF filters that might attempt to detect or block straightforward SQLi patterns. This method is a classic example of how attackers can use SQL syntax and comments to bypass filtering mechanisms in various WAF products. However, the tweet does not specify the targeted WAF vendor, so this bypass method may have universal applicability against multiple WAFs that rely solely on simple pattern matching without deeper analysis. Users and security professionals should be aware that naive filtering (simply looking for specific patterns) can be bypassed by introducing comments or encoding within SQL queries, and they should employ more robust WAF configurations and detection methods that can handle such obfuscations.
For more insights, check out the original tweet here: https://twitter.com/kai_h/status/2047854571620560974. And don’t forget to follow @kai_h for more exciting updates in the world of cybersecurity.