Hackers could bypass WAFs in 70.6% of cases using advanced parameter pollution.
The vast majority of web application firewalls (WAFs) can be bypassed using a little-known attack method, raising concerns about the reliability of one of the most widely deployed cybersecurity defences.
Research from ethical hacking platform Ethiack revealed that 94% of WAFs tested were vulnerable to “parameter pollution” - a technique in which attackers repeat the same parameter in a link or form to inject malicious JavaScript into users’ browsers.
The findings, which combined manual testing with Ethiack’s AI-powered “hackbot,” showed that hackers could bypass WAFs in 70.6% of cases using advanced parameter pollution, with the hackbot pushing overall success rates to 94% across 17 different configurations. Only three out of 12 WAFs tested were able to consistently block all three manually designed attack scenarios.
Bruno Mendes, head of hacking at Ethiack said: “WAFs are a key building block in every organisation’s cyber defences, but they can’t work miracles on their own. Small differences in how requests are interpreted by applications and firewalls can slip through blocking patterns and open the door to attacks.
“WAFs will continue to play a role as a barrier to attackers, but they are no substitute for secure code or regular testing. Tools like ours help IT teams detect real vulnerabilities continuously, prioritise and fix them before they can be exploited.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
