WAFFLED: Leveraging Parsing Discrepancies to Bypass Web Application Firewalls

The widespread adoption of web applications has made them prime targets for cyber attacks. To safeguard these applications, Web Application Firewalls (WAFs) have been introduced as essential and popular security gates. WAFs inspect incoming HTTP traffic to filter out malicious requests, and provide defenses against a diverse array of web-based threats, ranging from SQL injection to Cross-Site Scripting attacks, and beyond. In this work, we present an innovative approach to bypassing web application firewalls (WAFs) by exploiting parsing discrepancies through automated mutations of HTTP requests. By targeting non-malicious components such as headers and segments of the body, we identified 1207 bypasses across well-known WAFs, leveraging features of widely used content-types such as application/json, multipart/form-data, and application/xml in HTTP/1.1. Our methodology employs advanced fuzzing techniques to uncover these parsing discrepancies, exposing vulnerabilities that evade detection by commercial and open-source WAF solutions, including Cloud Armor, Cloudflare, Azure WAF, and ModSecurity. To validate our findings, we conducted a study on a large set of high-rank websites to evaluate interchangeability of these content-types in real-world applications. Our analysis revealed that more than 90% of websites accepted both application/x-www-form-urlencoded and multipart/form-data interchangeably, highlighting a significant vulnerability and the broad applicability of our bypass techniques. To mitigate these vulnerabilities, we introduce HTTP Normalizer, a robust proxy tool designed to rigorously validate HTTP requests against current RFC standards. Our results demonstrate its effectiveness in normalizing or blocking all bypass attempts presented in this study.