Cloudflare is one of the top web security companies out there with a sizeable clientele requiring it to takes its security practices very seriously which it does. However, regardless of this, there are times when vulnerabilities are found by external actors and brought to their notice.
An example of one such case has surfaced recently when cybersecurity researcher George Skouroupathis uncovered a flaw in their Web Application Firewall (WAF) SQL injection protection mechanism.
The experimenting started when George was working on a client’s site which used MySQL as its database. Due to need, he randomly tested for SQL injections by making requests to a specific webpage. This is when he discovered an interesting scenario that became the building block for his vulnerability discovery.
That is, when he made a query to select a particular variable from a data entity if it matched a certain condition, a 200 OK status notification was given if the condition was met. However, if it did not, the server returned a 500 Internal Server Error. Moving forward, the researcher states in their blog post that:
This gave me an idea: writing a script that compared a character picked from the name of the required DBMS entity and sequentially compared it with all characters. The idea was, if the two characters matched, the server would return a 200 OK status, else it would return a 500 Internal Server Error status and I would have to compare the requested character with the next character in my list.
From here onwards, 3 different injection tries were made to find an exploit with the very last one finally succeeding allowing the researcher to execute a SQL injection attack.
As a consequence, the content of the application’s database could be accessed this way by an attacker placing user data at risk. Moreover, the researcher even managed to write a Python script that would automate the entire attack.
This was then subsequently reported to Cloudflare who fixed it in a few days. Although no monetary compensation was awarded, George did get a t-shirt and his name in the security provider’s Hall of Fame apparently.
To conclude, there are a number of ways that SQL injections can be executed. It is important that cybersecurity defenders thoroughly evaluate these to make sure that their web applications are not vulnerable to them.
As a parting note, we leave you with a few words of advice from the researcher himself:
It is my opinion that if developers take good care to apply security measures on their applications, WAFs are most of the times unnecessary. All you need to do is sanitize the users’ input properly.