About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AWS WAF Bypass: invalid JSON object and unicode escape sequences- 1539

Andrea MeninPosted 1 Year Ago
  • AWS WAF only supports plain text and JSON by default. When invalid JSON is found (such as a duplicate key), the default option is to proceed on with the JSON. Another option is to evaluate as plaintext.
  • The evaluation of the JSON is done before the string matching. So, by providing a JSON object with a duplicate key (that AWS considers invalid), we can now add arbitrary text to bypass the WAF.
  • Another issue they found was around escape sequencing. AWS did not evaluate JSON escape sequences but most servers do. If there is a situation where input validation is important on a particular key in JSON, the escape sequences can be used to bypass this check in the name.
  • Trying to make the perfect WAF is a losing battle. I do enjoy parser differential vulnerabilities so I did enjoy this article though!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed