A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection

We discussed this vulnerability during Episode 93 on 25 October 2021

A simple bug in how MySQL deals with the e scientific notiation for numbers (1.1e5 for 110000 as an example) could be abused to bypass various Web-Application Firewalls (WAF). The bug being that the lack of any number following the e would result in the term being stripped from the query and nothing being put in its place. This meant that 1.0e or any other values for 1.0 could be placed in what would normally be syntaxically invalid locations and be stripped before the query was executed resulting in being able to defeat some of the parsing logic a WAF might be using.

Though this is a good reminder that you shouldn’t be relying on a WAF to prevent SQL injections, its a last line of defense to increase the cost of developing the attack not complete protection.