WAF Bypass — Parameter Poisoning

This is a small write up on how i found a WAF Bypass.

I was doing a bug bounty on my favorite company, and was testing some API calls for IDORS / robustness, after some time i found a route called: /api/images/v5/cheered/bulk?id=playerIdHere

I tried playing around with the parameter trying some values, my goal was to maybe get it to crash (Kinda unethical but whatever) then i got a problem, hitting a 403 due to an illegal character/input, a good and a bad sign.

I was testing multiple characters and read the responses/error messages to try to understand what is allowed and what not, i then noticed that the “+” sign gets removed, and was thinking “hmm that gets processed”, maybe by the parser?

I then thought to myself if this gets processed i can maybe get the parser or whatever is processing the input to fail.

After a bit of testing i found the char ‘#’ to be causing a 400 Error, but now i was stuck i did not know how i should continue, but i knew this is a good sign.

Why? because a input that is not of type Int64 would normally trigger a error that said that only Int64 Input is allowed. Makes sense because of the Id parameters.

I then noticed that it was possible to search for multiple Id’s by adding another id parameter. I tried to run it with both the poisoned parameter and the friendly parameter: /api/images/v5/cheered/bulk?id=#&id=XXX

And it worked, i got the data from the 2nd id, now i ran the request again but this time on the 2nd parameter with a input that would normally get blocked by the WAF “<script></script>”:

/api/images/v5/cheered/bulk?id=#&id=<script></script>

SUCCESS! the request came through.

Impact

WAFs are meant to protect the web application from malicious input, a failing WAF can make it for a threat actor much easier to deliver attacks like RCE, XSS, or SQLi. A failing WAF can also have legal and reputational consequences for the companies affected.

Why does this work?

This works because of improper input validation/filter by the WAF and the way how parameters are processed by the backend. The WAF fails to handle the first invalid parameter, allowing the other parameters to pass through unchecked.
It is hard for me to explain my thoughts in words so i hope you are not to unsatisfied with this explanation.

What i learned from this is, that it is always worth to take your time and read the error messages, analyse the behaviour of the application and always question everything that happens, if i just gave up after the countless error messages and stopped digging deeper, i would have never found this bug.

Thanks for reading, if you have any questions feel free to ask.

Regards,

Denis K