New study by Ethiack has revealed that 94% of web application firewalls can be breached, exposing a major cybersecurity blindspot for organisations worldwide.
The process of repeating the same parameter in a link or form (a technique known as parameter pollution) gave Ethiack researchers the possibility to inject malicious JavaScript into users’ browsers in the majority of test cases.
Following this strategy, while the Ethiack study was conducted under tightly-controlled test conditions, there were multiple vulnerabilities that it uncovered that could be exploited by cybercriminals in order to steal sensitive information, even from companies with properly configured WAFs.
More information on Ethiack’s recently launched study
According to the official press release, the study’s key findings include details on how ethical hackers successfully bypassed WAFs in 70.6% of cases by using Ethical’s parameter pollution methodology, while only three out of 12 WAFs consistently blocked all three manually designed attack scenarios. In addition, Ethiack’s AI-powered hackbot also identified additional bypasses, pushing up the researchers’ overall penetration rate to 94% across 17 configurations tested.
Furthermore, the research combined manual testing with Ethiack’s ‘hackbot’, an AI-driven offensive security agent, in order to explore scenarios that are able to evade even well-tuned WAFs. Without parameter pollution, the bypass success rate was just 17.6%, but when the process took place using Ethiack’s methodology, it jumped to 70.6%, and then to 94% when Ethiack’s hackbot explored additional variations.
The findings of the new study confirm that even properly configured WAFs are not foolproof. Small variations in requests have the possibility to bypass filters, meaning cybersecurity validation must not be a one-off exercise, as continuous, offensive testing of an organisation’s digital assets is essential.