A widely used security tool owned by web hosting provider GoDaddy, designed to prevent websites from being hacked, was easily bypassed, putting websites at risk of data theft.
The company's website application firewall (WAF), provided by Sucuri and acquired by GoDaddy earlier this year, protects websites against a range of attacks by adding an extra layer of security to a website to protect against cross-site scripting and SQL injection techniques.
But a security researcher told ZDNet that the firewall would let through some commands, allowing him to gain access to vulnerable databases behind the scenes. That, he said, put sites at risk of data theft.
Touseef Gul was able to bypass the firewall with a relatively simple SQL injection string, which he showed to ZDNet but we're not publishing. SQL injection attacks can be launched from the web browser's address bar. If the attack is successful it will display a list of database tables on the website itself. Where he was expecting to receive an "access denied" message, the firewall let the command through and returned a list of tables from the target website's database. He was also able to obtain the database's admin account and MD5 hashed password, which nowadays is easily crackable.
What surprised the researcher, he said, was how easy the firewall was to bypass.
He gave an example of part of the code he used. He said that while the firewall would block a common command used in SQL injections, such as "UNION SELECT," a modified, encoded version of the same command -- such as "UNION SELE%63T" (where %63 is an encoded "C") -- was not blocked by the filter.
For its part, GoDaddy said it patched the bug within a day of the security researcher's private disclosure to the company.
"In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF," said Daniel Cid, GoDaddy's vice-president of engineering.
"Within less than a day, our systems were able to pick up this attempt and put a stop to it," he said.
Cid said the company is "not aware of other customers" impacted by the bypass, but wouldn't say how many websites were at risk of the bypass technique.
Lesley Carhart, a digital forensics and incident response specialist, explained that web application firewalls mimic the behavior of antivirus products rather than a traditional firewall.
"In a lot of ways web attacks are way harder to firewall than traffic in and out of a network," said Carhart. "You can deny almost everything at a network firewall or host firewall."
"Web traffic filtering relies more on blacklisting bad stuff using signatures than whitelisting slews of unneeded ports and protocols like traditional firewalls," she added.
Web application firewalls block attacks on sites running web applications that are already vulnerable to attacks, like out-of-date content management systems, like WordPress or Joomla, she explained.
"In principle, it's a great move to add another layer of defense to sites, but it should never be mistaken for or implied to be a replacement for secure coding," she said.