My SQLi adventure or: why you should make sure your WAF is configured properly

In August 2021 I was tasked with performing a Web Application security assessment for a large client. The automated scanning tool returned a possible SQL injection which, just like last time, couldn't be exploited using the said tool. The reason was Cloudflare's WAF and more specifically its SQL Injection filter.

»
Author's profile picture George Skouroupathis on Web

How I bypassed Cloudflare's SQL Injection filter

In late 2018 I was tasked with performing a Web Application security assessment for a large client. After running the standard scans with automated tools, something interesting came up: a possible SQL injection which couldn’t be exploited using the tool. The reason: Cloudflare’s WAF and more specifically its SQL Injection filter.

»
Author's profile picture George Skouroupathis on Web