A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).
Akamai’s WAF, which was patched several months ago, has been designed to mitigate the risk of Distributed Denial-of-Service (DDoS) attacks and uses adaptive technologies to block known web security threats.
Security researcher Peter H, who also goes by the pseudonym ‘pmnh’, said the attack used Spring Expression Language (SpEL) injection.
The bug bounty hunter found the bypass with the assistance of Synack pentester Usman Mansha during an engagement with a private Bugcrowd program.
Server-side template injection
A server-side template injection (SSTI) is at the core of the bypass, a technical write-up by Peter H reveals. Vulnerable versions of Spring Boot throw up error messages in a SpEL expression with whitelabel error pages, they explained. When a vulnerable framework is used, this injection is evaluated server-side – opening a potential pathway for abuse.
Akamai’s WAF blocked the SSTI during testing. However, the team persisted in looking for ways of utilizing SpEL to invoke an operating system command – likely via Java.
The most obvious route was to find a way to the java.lang.Runtime class, starting with SpEL reference ${T(java.lang.Runtime)}, but this was blocked by Akamai’s software.
“I suspected this would not work, but when trying to work around a WAF it’s really important to build up from small things that you know work, to larger and more complex payloads,” the researcher said.
The next stage was finding a reference to an arbitrary class, which Peter H said would allow “direct method invocation or reflection-based invocation to get at the method we want”.
Peter H and Mansha used a reflection method to obtain access to Class.forName, built an arbitrary String with the java.lang.Runtime value, accessed the java.lang.Runtime.getRuntime method, and created another string to access java.lang.Runtime – thus enabling development of a workable RCE payload.
The final payload was under 3kb and was accepted by the server as a GET request.
Elusive entry point
However, bypassing the WAF was by no means an easy task. Peter H noted it took approximately 500 crafted attempts and over 14 hours to find an entry point.
The researcher declined to supply a final payload in a text format to prevent blind copycats.
“In this case, deep knowledge of Java and SpEL capabilities was required to construct a payload that would both bypass the Akamai WAF as well as work in the context where it was executing,” they noted.
Akamai response
When approached for comment, Akamai told The Daily Swig that the bypass was only possible as the researchers used an old version of the Akamai WAF protection engine.
A patch was issued on July 25, 2022. As a result, customers running the latest engine version are not at risk of exploitation.
Akamai said: “Akamai is aware of the findings of a security researcher who has claimed to have bypassed Akamai’s WAF. This issue was discovered and an update was issued several months prior to this blog post being published.
“The Akamai Threat Research team is always on the lookout for new attack types and works to proactively update protections on a regular basis. Akamai recommends that all customers ensure that Adaptive Security Engine, the protection engine that powers Akamai WAF, is up to date, ideally via automatic updates.”
The Daily Swig has reached out to the researchers involved and we will update this article if and when they comment.
Source: https://portswigger.net/daily-swig/akamai-waf-bypassed-via-spring-boot-to-trigger-rce