The breakthrough research demonstrates how attackers can exploit fundamental parsing differences between WAF engines and web applications to execute malicious JavaScript code despite security protections.
The core vulnerability lies in how different web frameworks handle duplicate HTTP parameters.
When ASP.NET encounters multiple parameters with the same name, it concatenates their values using commas through the HttpUtility.ParseQueryString() method. T
This behavior creates an opportunity for sophisticated bypasses when combined with JavaScript injection contexts.
Researchers demonstrated the technique using a payload structure like /?q=1'&q=alert(1)&q='2, which ASP.NET processes into 1',alert(1),'2.
When inserted into a JavaScript context such as userInput = 'USER_CONTROLLED_DATA';, the result becomes userInput = '1',alert(1),'2'; – syntactically valid JavaScript that executes the alert function due to JavaScript’s comma operator semantics.
The research team tested three increasingly complex payloads across 17 WAF configurations.
The simplest payload q=';alert(1),' achieved a 17.6% bypass rate, while the most sophisticated approach using line breaks and string concatenation q=1'%0aasd=window&q=def="al"+"ert"&q=asd[def](1)+' successfully bypassed 70.6% of tested configurations.
Ethiack’s autonomous AI pentesting engine, dubbed “hackbot,” discovered additional bypasses that manual testing had missed.
The AI system found a surprisingly simple bypass for Azure WAF’s Microsoft Default Rule Set 2.1 using the payload test\';alert(1);//, which exploited parsing discrepancies in how the WAF handles escaped characters compared to JavaScript processing.
Most remarkably, the hackbot bypassed open-appsec’s machine learning-based WAF in just 30 seconds, finding the payload and then adapting when the original was blocked by switching alert() to confirm() functions.
This demonstrates the system’s ability to evolve attack strategies in real-time.
The research identified that only three WAF solutions successfully blocked all manual test payloads:
Google Cloud Armor with ModSecurity rules, Azure WAF with Microsoft’s Default Rule Set 2.1, and all open-appsec configurations.
However, even these “secure” configurations were eventually bypassed by the AI system, highlighting the ongoing arms race between offensive and defensive cybersecurity technologies.
These findings underscore the critical need for organizations to implement defense-in-depth strategies rather than relying solely on WAF protections, as sophisticated attackers can exploit fundamental differences in how security systems and applications process user input.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Researchers Bypass WAFs to Deliver XSS Payloads Using Parameter Pollution appeared first on Cyber Security News.
The Rockford Fire Department is investigating a structure fire that occurred Saturday morning.
Netflix in March means many exciting things: the Peaky Blinders movie, a new four-part dinosaur…
CALLAHAN COUNTY, Texas (KTAB/KRBC) - A Dallas man was killed early Friday morning following a…
The weekend is finally here, and new deals have popped up! There are quite a…
LEGO Batman: Legacy of the Dark Knight, a new take on the classic LEGO game…
It might be World War III, but at least I won $20. | Image: Polymarket…
This website uses cookies.