WAF protection was circumvented to execute XSS payloads through JavaScript injection by utilizing parameter pollution.

Bruno Mendes conducted research revealing a sophisticated method to bypass Web Application Firewall (WAF) protections through HTTP Parameter Pollution techniques combined with JavaScript injection. This study examined 17 different WAF configurations from major vendors, including AWS, Google Cloud, Azure, and Cloudflare, and uncovered alarming vulnerabilities within the current web security infrastructure. The technique exploits fundamental parsing differences between WAF engines and web application frameworks, particularly focusing on ASP.NET’s parameter handling behaviour. By splitting XSS payloads across multiple HTTP parameters, attackers can evade traditional security detection mechanisms. The research highlighted that only three out of the 17 major WAF configurations successfully blocked these sophisticated parameter pollution attacks, while an AI hackbot achieved a 100% bypass success rate, identifying simple exploits in mere seconds.

The breakthrough technique leverages ASP.NET’s specific behaviour when processing duplicate HTTP parameters. When ASP.NET encounters multiple parameters with the same name via its HttpUtility.ParseQueryString() method, it concatenates their values using commas. This behaviour creates opportunities for sophisticated bypasses when combined with JavaScript’s comma operator syntax. The researchers at Ethiack demonstrated how a seemingly benign query string, such as /?q=1’&q=alert(1)&q=’2, is processed by ASP.NET into the concatenated form 1′,alert(1),’2. When this payload is inserted into a JavaScript context, it becomes valid JavaScript code, allowing the execution of the malicious alert(1) function. Traditional WAFs struggle to detect this technique because they typically analyse individual parameters rather than understanding how web frameworks parse and concatenate multiple parameter values. The testing results revealed significant gaps in current WAF protection mechanisms, with only Google Cloud Armor, Azure WAF, and open-appsec configurations successfully blocking all manually crafted payloads.