Researchers Circumvent Web Application Firewall Using JavaScript Injection and Parameter Pollution Techniques

Cybersecurity researchers have unveiled a sophisticated technique for bypassing Web Application Firewalls (WAFs) through the combination of JavaScript injection and HTTP parameter pollution. This research, conducted during an autonomous penetration test, highlighted how attackers can exploit parsing discrepancies between WAF engines and web application frameworks to execute malicious code, even under stringent security configurations. The vulnerability was identified while testing an ASP.NET application that was protected by a highly restrictive WAF. Although the underlying Cross-Site Scripting (XSS) vulnerability was relatively straightforward, involving the escape of a JavaScript string delimited by single quotes, conventional XSS payloads were effectively blocked by the security system. This scenario posed a significant challenge for researchers, who needed to demonstrate exploitability in the face of active defensive mechanisms.

The breakthrough in this research stemmed from an understanding of ASP.NET’s unique parameter handling behaviour. When multiple HTTP parameters share the same name, ASP.NET concatenates their values using commas via the HttpUtility.ParseQueryString() method. This documented behaviour from Microsoft indicates that “multiple occurrences of the same query string parameter are listed as a single entry with a comma separating each value.” Analysts from Ethiack identified this parsing discrepancy as the key to bypassing WAF detection while still executing valid JavaScript. The attack utilises JavaScript’s comma operator, which allows multiple expressions to execute sequentially within a single statement. By distributing malicious code across multiple parameters, researchers constructed payloads that appeared benign individually but combined to form executable JavaScript. For example, the query string /?q=1’&q=alert(1)&q=’2 transforms into 1′,alert(1),’2 after ASP.NET processing, resulting in syntactically valid JavaScript that executes the alert function when inserted into vulnerable contexts.

The research methodology involved testing 17 different WAF configurations across major cloud providers and security vendors, revealing significant disparities in detection capabilities. The testing employed three distinct payload types, each demonstrating increasing sophistication in evasion techniques. The analysis of framework parameter pollution behaviour yielded notable results. For instance, in ASP.NET, the input param=val1&param=val2 results in param=val1,val2, while in other frameworks like ASP, Golang net/http, Python – Zope, and Node.js, the outputs varied. The most revealing finding emerged from the complexity analysis of payloads, where simple injection attempts achieved only a 17.6% bypass rate. This highlights the ongoing challenges in web security and the need for continuous improvement in WAF technologies. 

Categories: Web Application Firewalls, JavaScript Injection Techniques, HTTP Parameter Pollution 

Tags: Web Application Firewalls, JavaScript Injection, HTTP Parameter Pollution, Cross-Site Scripting, ASP.NET, Payload Complexity, WAF Evasion, Security Configurations, Malicious Code, Vulnerability Analysis