By leveraging ASP.NET’s query-string concatenation behavior alongside JavaScript’s comma operator, researchers distributed payload fragments across multiple parameters, concealing malicious operations from conventional WAF detection rules.
The core bypass hinges on how ASP.NET handles duplicate query parameters. When identical parameter names appear more than once, the framework merges values into a single entry separated by commas.
By placing fragments that break out of a quoted context, inserting function calls, and then resuming the original quoted format into separate parameters, the final merged value becomes a valid execution sequence.
When this merged value is placed in a client-side assignment, the comma operator evaluates each fragment in order, triggering the malicious call without ever matching traditional cross-site scripting signatures.
Seventeen leading WAF solutions spanning major cloud providers and security vendors—were assessed against four distinct payload variants:
Testing results exposed a widespread inability among traditional defenses to detect this technique.
Over 70 percent of configurations were bypassed by the most complex pollution payload, with only Google Cloud Armor under ModSecurity rules, Azure WAF using Microsoft’s default rule set 2.1, and all open-appsec tiers blocking three out of four attempts.
Conversely, three AWS-managed rule sets, along with regulations from several other vendors, failed to block any tested vector.
To further explore the remaining resilient configurations, researchers deployed an autonomous hackbot designed to mutate and test payload variants in real time. This bot discovered previously unnoticed bypasses in both Azure WAF and open-appsec:
Notably, Google Cloud Armor remained undefeated throughout automated testing, highlighting the strength of its combined signature and anomaly-based defenses.
This research underscores a critical lesson: defensive gateways that do not fully emulate application-side parsing are intrinsically vulnerable to pollution-based attacks.
While machine-learning–driven defenses offer enhanced anomaly detection, they can be swiftly outmaneuvered by automated agents capable of generating novel payload variants.
These findings reinforce the principle that firewalls cannot substitute for secure development practices, and that automation complements manual testing by uncovering edge-case vulnerabilities that human analysts might overlook.
Continuous integration of robust input validation, context-aware encoding, and rigorous code reviews remains essential to closing the gap that parameter pollution techniques exploit.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Researchers Exploit Parameter Pollution to Evade Web Application Firewalls via JS Injection appeared first on Cyber Security News.
We’ve somehow already made our way to March, which hopefully brings some spring weather, but…
The pulse of Lumiose City is racing, and for good reason! Pre-orders for the Pokémon…
That’s coming on a little strong, maybe. | Image: Vera C. Rubin Observatory The Vera…
Threat actors are deploying a new phishing campaign that uses fake Zoom and Google Meet…
Cybersecurity researchers at Infoblox Threat Intel have uncovered a highly sophisticated phishing campaign that exploits…
Welcome to the weekend, friends! While the rest of our team was checking out Samsung’s…
This website uses cookies.