Researchers with cybersecurity firm Claroty said they discovered a new method that allows to bypass web application firewalls (WAFs) from various vendors, including Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva.

Web application firewalls (WAF) are designed to safeguard web-based applications and APIs from malicious external HTTPs traffic, most notably cross-site scripting and SQL injection attacks.

According to the researchers, the new technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse. JSON is a standard file and data exchange format, and is commonly used when data is sent from a server to a web application.

It was discovered that major WAF vendors did not implement JSON support in their products. While most WAFs will easily detect SQLi attacks, prepending JSON to SQL syntax allows to circumvent protections.

“Attackers using this technique would be able to bypass the WAF’s protection and use additional vulnerabilities to exfiltrate data via either direct access to the server or over the cloud” the researchers explained. “This is especially important for OT and IoT platforms that have moved to cloud-based management and monitoring systems. WAFs offer a promise of additional security from the cloud; an attacker able to bypass these protections has expansive access to systems.”

Claroty informed all affected vendors of their findings, and all of the companies have released updates that add support for JSON syntax to their products’ SQL inspection processes.