Redazione RHC : 9 September 2025 07:54
In a security test, Ethiack researchers found a way to bypass even the most stringent web application firewalls using an unusual technique: JavaScript injection via HTTP parameter pollution. The test subject was an ASP.NET application with the strictest filtering rules. Any attempt to inject standard XSS constructs was blocked, but thanks to the peculiarities of duplicate parameter processing, the researchers were able to collect a working payload that the firewall hadn’t even detected.
The key to the workaround was that the ASP.NET HttpUtility.ParseQueryString() method combines identical parameters using commas.
Therefore, a query string like q=1’&q=alert(1)&q=’2 becomes the sequence 1′,alert(1),’2. When inserted into JavaScript, this becomes jsuserInput = ‘1’,alert(1),’2; – that is, the code becomes syntactically correct and the comma operator invokes alert. This behavior allows malicious fragments to be distributed across multiple parameters and bypasses traditional signature checks. While ASP.NET and classic ASP combine values, other platforms like Golang or Python Zope work with arrays, so the technique is not applicable everywhere.
To verify its robustness, seventeen configurations from different vendors were tested: AWS WAF, Google Cloud Armor, Azure WAF, open-appsec, Cloudflare, Akamai, F5, FortiWeb, and NGINX App Protect.
Four payload types were used, ranging from simple injections like q=’;alert(1) to more complex ones with delimiters and heuristic bypasses. Only Google Cloud Armor with ModSecurity, Azure WAF Default Rule Set 2.1, and all open-appsec sensitivity levels were able to completely block all variants. Meanwhile, AWS WAF, F5, and Cyber Security Cloud solutions failed in all scenarios. The overall bypass rate increased from 17.6% for a basic injection request to 70.6% for advanced parameter pollution.
The autonomous hackbot used by the researchers was able to find a workaround for the solutions that passed manual testing. In Azure WAF, it was able to exploit inconsistent escape character processing via the test’;alert(1);// sequence. In open-appsec, the tool found a working option within half a minute even for the “critical” profile, changing the calls from alert to confirm and switching to more clever constructions like q=’+new Function(‘a’+’lert(1)’)()+’. For Google Cloud Armor, the filter couldn’t be bypassed, but the analysis showed that the server logic is case-sensitive, which could create vulnerabilities in the future.
The security researchers’ findings highlight the systemic limitations of signature-based and even heuristic WAFs. Comprehensive detection of distributed, multi-parameter attacks would require a deep understanding of a specific framework’s logic and analysis in the JavaScript context, which is difficult to implement at the proxy level.
Attempts to implement machine learning also don’t guarantee sustainability, as adaptive bots quickly adapt and find safe patterns for themselves.
Ultimately, researchers remind us that firewalls can’t be the only barrier: input validation, adequate shielding, and solid development practices are all necessary. The combination of human creativity and automated tools demonstrates how quickly even non-standard vulnerabilities can be exposed and why continuous testing remains essential.
Redazione