A security engineer has publicly shared a web application attack vector (Command injection) that bypasses Cloudflare WAF (Web Application Firewall) and possibly other WAF products.
As of February 16, 2020, this attack vector is considered to work.
What Is Command Injection?
Command injection refers to a security vulnerability that permits a hacker to execute arbitrary commands inside a web application.
The Attack Vector
This command injection attack is capable of bypassing modern web application firewalls:
Based on our analysis of the attack vector, we believe that this command injection bypass can also work with other WAF products. WAF bypass techniques typically evolve while older attack vectors eventually get blacklisted by the WAF vendors.