Break the Wall from bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls
Qi Wang, Jianjun Chen, Zheyu Jiang, Run Guo, Ximeng Liu, Chao Zhang
IEEE Symposium on Security and Privacy 2024 · Day 1 · Continental Ballroom 4
This talk, presented by Qi Wang at IEEE S&P, delves into a critical and persistent challenge in web security: the evasion of **Web Application Firewalls (WAFs)** through **protocol-level vulnerabilities**. WAFs are a cornerstone of modern web application protection, acting as a crucial defense layer against various online threats, from SQL injection to Cross-Site Scripting (XSS). However, their effectiveness hinges on their ability to accurately parse and interpret HTTP requests, a task that often proves more complex than anticipated due to the inherent ambiguities and evolving standards of the HTTP protocol.
AI review
WAF-Menace presents a critical advancement in automated discovery of protocol-level WAF evasion. By systematically fuzzing HTTP parsing discrepancies between WAFs and web frameworks, this research uncovered thousands of bypasses across major products. The work offers actionable insights for both WAF vendors and application developers to harden their defenses.