Cloudflare is one of the top web security companies out there with a sizeable clientele requiring it to takes its security practices very seriously which it does. However, regardless of this, there are times when vulnerabilities are found by external actors and brought to their notice.
An example of one such case has surfaced recently when cybersecurity researcher George Skouroupathis uncovered a flaw in their Web Application Firewall (WAF) SQL injection protection mechanism.
The experimenting started when George was working on a client’s site which used MySQL as its database. Due to need, he randomly tested for SQL injections by making requests to a specific webpage. This is when he discovered an interesting scenario that became the building block for his vulnerability discovery.
See: White hat hackers infect Canon DSLR camera with ransomware
That is, when he made a query to select a particular variable from a data entity if it matched a certain condition, a 200 OK status notification was given if the condition was met. However, if it did not, the server returned a 500 Internal Server Error. Moving forward, the researcher states in their blog post that:
This gave me an idea: writing a script that compared a character picked from the name of the required DBMS entity and sequentially compared it with all characters. The idea was, if the tw ..
Support the originator by clicking the read the rest link below.
