Description:
This article describes how FortiWeb's Machine Learning for Anomaly Detection can detect and protect against such attacks out of the box, without requiring any special configuration.
Recently, security researchers posted several blogs describing a method for bypassing some vendor's WAF solutions. The method described bypasses malicious requests that used JSON (JavaScript Object Notation) syntax appended to SQL injection payloads. Attackers could then use these techniques to get access to a backend database and use additional vulnerabilities to exfiltrate information via either direct access to the server or over the cloud.
Fortinet customers using the FortiWeb web application firewall are protected against this type of evasion technique using FortiWeb's Machine Learning for Anomaly Detection.
Scope:
FortiWeb
Solution:
The attack:
The researchers crafted new SQLi payloads by appending JSON syntaxes. These payloads, since it is not 'Commonly Known Threats', could go unnoticed by a WAF. While SQL injection has been part of the OWASP Top 10 list, JSON syntax is used on various databases like MySQL, PostgreSQL, SQLite to extract data and when combined with SQLi it is exploitable.
- PostgreSQL:‘{“b”:2}’::jsonb <@ ‘{“a”:1, “b”:2}’::jsonbIs the left JSON contained in the right one?True.
- SQLite:‘{“a”:2,”c”:[4,5,{“f”:7}]}’ -> ‘$.c[2].f’ = 7Does the extracted value of this JSON equal 7?True.
- MySQL:JSON_EXTRACT(‘{“id”: 14, “name”: “Aztalan”}’, ‘$.name’) = ‘Aztalan’Does the extracted value of this JSON equal to ‘Aztalan’?True.”
Source: Claroty
To see the impact of this attack, a Juice Shop Web application from OWASP projects will be setup.
One of the payloads from Claroty’s research is used to find out the database behind this application.
When making a GET request to the Web application with the below URL, there is an SQLite error. This gives an attacker enough information to format the broken syntax or get information from the database by using techniques like Blind SQL injection.
Attack URL: http://juiceshop.cloudteamapp.com/rest/products/search?q='{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7
The webpage shows an SQLLITE error but by formatting the syntax the attacker can get access to the database and extract information.
For example, a Blind SQL injection URL can extract information as below:
http://juiceshop.cloudteamapp.com/rest/products/search?q='))--
FortiWeb WAF Protection:
FortiWeb protects your applications and APIs using a variety of protection mechanisms. Two important ones are:
1) Blocking known attacks using signatures from FortiGuard services.
2) Leveraging two layers of ML to detect Zero-day attacks.
Blocking known attacks using signatures can be set up using the Web Protection Profile.
Here is the document on setting up Server policy and protection profiles.
https://docs.fortinet.com/document/fortiweb/7.0.4/administration-guide/201872/configuring-a-server-p...
To enable Machine learning in the policy please follow the link here:
https://docs.fortinet.com/document/fortiweb/7.0.4/administration-guide/94907/ml-based-anomaly-detect...
How Does Machine Learning Anomaly Detection model is built?
FortiWebuses a machine learning model to analyze the parameters in the domain and decide whether the value of the parameter is legitimate or not.
The machine learning model is built upon a vast amount of parameter value samples collected from real requests to the domain.
The traffic should meet all the following conditions to be treated as a sample:
- The response code of the response packet must be 200 or 302;
- The response content type of the response packet must be text or HTML;
- The request packet must have parameter(s) in the URL or body.
FortiWeb analyzes the characteristics of the patterns and builds an initial model when 400 samples are collected. The system runs the initial model to detect anomalies, while it keeps collecting more samples to refine it.
Running Model on FortiWeb below:
It will display several ML events on the URL /rest/products/search and parameter q from the stage of building the ML model to running the ML model.
With Machine learning Anomaly Detection turned on and retrying the attack from above:
http://juiceshop.cloudteamapp.com/rest/products/search?q='{"a":2,"c":[4,5,{"f":7}]}' -> '$.c[2].f' = 7
A block page from FortiWeb blocks this attack to get to the endpoint server.
If analyzing the attack log on FortiWeb, it will show the following:
Similarly trying a different attack:
http://juiceshop.cloudteamapp.com/rest/products/search?q=' or data @> '{"a":"b"}'—