WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls
Seyed Ali Akhavani, Bahruz Jabiyev, Ben Kallus, Cem Topcuoglu, Sergey Bratus, Engin Kirda
TL;DR
WAFFLED investigates bypassing Web Application Firewalls by exploiting parsing discrepancies between WAFs and web application frameworks across content-types multipart/form-data, application/xml, and application/json. Using a grammar-based fuzzing pipeline, it discovers $1207$ unique bypasses across five major WAFs and six frameworks and validates findings with a real-world interchangeability study showing over $90 ext{%}$ of sites accept interchangeable content-types. The authors introduce HTTP-Normalizer to enforce RFC-compliant parsing, which blocks all bypasses in their tests and demonstrates practical mitigation. The work highlights critical security risks due to inconsistent HTTP parsing and calls for RFC-aligned parsers in WAFs and frameworks, with bug bounty acknowledgments from vendors.
Abstract
Web Application Firewalls (WAFs) have been introduced as essential and popular security gates that inspect incoming HTTP traffic to filter out malicious requests and provide defenses against a diverse array of web-based threats. Evading WAFs can compromise these defenses, potentially harming Internet users. In recent years, parsing discrepancies have plagued many entities in the communication path; however, their potential impact on WAF evasion and request smuggling remains largely unexplored. In this work, we present an innovative approach to bypassing WAFs by uncovering and exploiting parsing discrepancies through advanced fuzzing techniques. By targeting non-malicious components such as headers and segments of the body and using widely used content-types such as application/json, multipart/form-data, and application/xml, we identified and confirmed 1207 bypasses across 5 well-known WAFs, AWS, Azure, Cloud Armor, Cloudflare, and ModSecurity. To validate our findings, we conducted a study in the wild, revealing that more than 90% of websites accepted both application/x-www-form-urlencoded and multipart/form-data interchangeably, highlighting a significant vulnerability and the broad applicability of our bypass techniques. We have reported these vulnerabilities to the affected parties and received acknowledgments from all, as well as bug bounty rewards from some vendors. Further, to mitigate these vulnerabilities, we introduce HTTP-Normalizer, a robust proxy tool designed to rigorously validate HTTP requests against current RFC standards. Our results demonstrate its effectiveness in normalizing or blocking all bypass attempts presented in this work.