| The Web Application Firewall(WAF)is widely employed to protect web applications like websites from various attacks like SQL injection(SQLi)and cross-site-scripting(XSS).Generally,attackers may manually mutate the malicious request,namely,the payload,to make the payload that has been blocked successfully bypass the WAF.There are many common mutation patterns,such as changing the case,changing the encoding method,etc.Unfortunately,there is no universal mutation pattern,and attackers need to re-excavate effective ways for unique payloads against different WAFs,which is laborious and time-consuming.Although the process of attacking WAF,that is,finding an effective mutation method can be semi-automated by scripts provided by tools such as SQLMap,these scripts cannot intelligently generate semantic-equivalent mutations for the payload,in other words,the mutated payload may become invalid.Therefore,the top priority is to find a way to automatically bypass these WAF-as-a-services while maintaining the original functionality and maliciousness of the payload.Besides,the attack efficiency under the black-box settings still cannot be improved.To deal with the obstacles in automatically bypassing WAF,this paper employs semantic-based methods to analyze and transform the attack payload and optimize the black-box attack process based on heuristic methods.In particular,this paper first represents the original SQLi payload with a hierarchical tree to perform fine-grained and customized processing for each node.Further,on the basis of the hierarchical tree,this paper employs a weighted mutation strategy based on the context-free grammar to generate a set of equivalent SQLi payloads,which keep the same functionality and maliciousness as the original one.Finally,this paper exploits the Monte-Carlo tree search as a novel approach to efficiently guide the exploration of adversarial SQLi payloads in the vast space.To verify the attack effectiveness of the proposed method,this paper conducts attack experiments on the SQL injection detection model based on machine learning.The results show that this paper achieves a maximum attack success rate of 100% with fewer queries.In addition,this paper conducts attack experiments on mainstream commercial and open-source WAF products to verify their effectiveness in the real world.The results prove that the WAF products mentioned above have serious security vulnerabilities,such as the non-robust detection rules and the deficiencies in JSON parameter parsing.As responsible researchers,we disclosed the vulnerability to the security vendors and proposed various potential defense methods to mitigate the attack methods proposed. |
PDF Full Text Request