Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AdvSQLi: Generating Adversarial SQL Injections against Real-world WAF-as-a-service

Zhenqing Qu, Xiang Ling, Ting Wang, Xiang Chen, Shouling Ji, Chunming Wu

TL;DR

AdvSQLi addresses critical vulnerabilities in WAF-as-a-service by introducing a semantic-preserving adversarial SQL injection framework. It represents SQLi payloads as hierarchical trees, mutates them via a context-free grammar with weighted rules, and steers exploration using Monte-Carlo Tree Search to produce many semantically equivalent, malicious payloads. Empirical results show AdvSQLi achieves up to 100% attack success against ML-based detectors and successfully bypasses seven real-world WAF-as-a-service products, revealing weaknesses in signature-based and some ML defenses. The work highlights actionable defense directions, including adversarial training and multi-modal detection, and calls for rethinking WAF design and JSON parsing robustness in cloud deployments.

Abstract

As the first defensive layer that attacks would hit, the web application firewall (WAF) plays an indispensable role in defending against malicious web attacks like SQL injection (SQLi). With the development of cloud computing, WAF-as-a-service, as one kind of Security-as-a-service, has been proposed to facilitate the deployment, configuration, and update of WAFs in the cloud. Despite its tremendous popularity, the security vulnerabilities of WAF-as-a-service are still largely unknown, which is highly concerning given its massive usage. In this paper, we propose a general and extendable attack framework, namely AdvSQLi, in which a minimal series of transformations are performed on the hierarchical tree representation of the original SQLi payload, such that the generated SQLi payloads can not only bypass WAF-as-a-service under black-box settings but also keep the same functionality and maliciousness as the original payload. With AdvSQLi, we make it feasible to inspect and understand the security vulnerabilities of WAFs automatically, helping vendors make products more secure. To evaluate the attack effectiveness and efficiency of AdvSQLi, we first employ two public datasets to generate adversarial SQLi payloads, leading to a maximum attack success rate of 100% against state-of-the-art ML-based SQLi detectors. Furthermore, to demonstrate the immediate security threats caused by AdvSQLi, we evaluate the attack effectiveness against 7 WAF-as-a-service solutions from mainstream vendors and find all of them are vulnerable to AdvSQLi. For instance, AdvSQLi achieves an attack success rate of over 79% against the F5 WAF. Through in-depth analysis of the evaluation results, we further condense out several general yet severe flaws of these vendors that cannot be easily patched.

AdvSQLi: Generating Adversarial SQL Injections against Real-world WAF-as-a-service

TL;DR

AdvSQLi addresses critical vulnerabilities in WAF-as-a-service by introducing a semantic-preserving adversarial SQL injection framework. It represents SQLi payloads as hierarchical trees, mutates them via a context-free grammar with weighted rules, and steers exploration using Monte-Carlo Tree Search to produce many semantically equivalent, malicious payloads. Empirical results show AdvSQLi achieves up to 100% attack success against ML-based detectors and successfully bypasses seven real-world WAF-as-a-service products, revealing weaknesses in signature-based and some ML defenses. The work highlights actionable defense directions, including adversarial training and multi-modal detection, and calls for rethinking WAF design and JSON parsing robustness in cloud deployments.

Abstract

As the first defensive layer that attacks would hit, the web application firewall (WAF) plays an indispensable role in defending against malicious web attacks like SQL injection (SQLi). With the development of cloud computing, WAF-as-a-service, as one kind of Security-as-a-service, has been proposed to facilitate the deployment, configuration, and update of WAFs in the cloud. Despite its tremendous popularity, the security vulnerabilities of WAF-as-a-service are still largely unknown, which is highly concerning given its massive usage. In this paper, we propose a general and extendable attack framework, namely AdvSQLi, in which a minimal series of transformations are performed on the hierarchical tree representation of the original SQLi payload, such that the generated SQLi payloads can not only bypass WAF-as-a-service under black-box settings but also keep the same functionality and maliciousness as the original payload. With AdvSQLi, we make it feasible to inspect and understand the security vulnerabilities of WAFs automatically, helping vendors make products more secure. To evaluate the attack effectiveness and efficiency of AdvSQLi, we first employ two public datasets to generate adversarial SQLi payloads, leading to a maximum attack success rate of 100% against state-of-the-art ML-based SQLi detectors. Furthermore, to demonstrate the immediate security threats caused by AdvSQLi, we evaluate the attack effectiveness against 7 WAF-as-a-service solutions from mainstream vendors and find all of them are vulnerable to AdvSQLi. For instance, AdvSQLi achieves an attack success rate of over 79% against the F5 WAF. Through in-depth analysis of the evaluation results, we further condense out several general yet severe flaws of these vendors that cannot be easily patched.
Paper Structure (22 sections, 2 equations, 9 figures, 11 tables, 2 algorithms)

This paper contains 22 sections, 2 equations, 9 figures, 11 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Adversary's Goal
  4. Adversary's Capability
  5. Related Work and Challenges
  6. AdvSQLi: Adversarial SQLi Generation
  7. Hierarchical Tree Representation
  8. Mutation with Context-free Grammar
  9. MCTS Guided Search
  10. Evaluation
  11. RQ1: Semantic Preservation
  12. RQ2: Attack Effectiveness against ML-based SQLi Detection
  13. RQ3: Attack Effectiveness against WAF-as-a-service
  14. RQ4: Ablation Study
  15. Discussion
  16. ...and 7 more sections

Figures (9)

  • Figure 1: Illustration of how our proposed attack AdvSQLi can bypass the WAF-as-a-service to acquire all users' information, compared with the ordinary attacker and the innocent user. Note that the architecture of the infrastructures in production environments may be more complicated than in this diagram, yet it does not impact the effectiveness of AdvSQLi.
  • Figure 2: The pipeline of AdvSQLi: It first represents the original SQLi payload with a hierarchical tree, and then employs a weighted mutation strategy based on the context-free grammar to generate a set of equivalent SQLi payloads, which keep the same functionality and maliciousness as the original one. Then, it exploits MCTS to efficiently guide the exploration of adversarial SQLi payloads in the vast space. It is noted that only parts of the Hierarchical Tree are shown for simplicity.
  • Figure 3: Workflow of evaluation.
  • Figure 4: VGP of AdvSQLi and relationship between VGP and ASR of WAF-A-MoLE. The horizontal blue line means that the VGP of AdvSQLi is always 100%. The descending orange line refers to the changing trend of the VGP of WAF-A-MoLE with the number of attack steps, which is the average value under various runtime environments. The rising lines refer to the changing trend of the ASR with the number of attack steps.
  • Figure 5: Relationships between ASR and Query (within 100) when attacking against SQLi detection. The grey dotted line results from the AdvSQLi(R) under the default settings.
  • ...and 4 more figures