A recent study by Ethiack has highlighted that 94% of web application firewalls can be bypassed, presenting a significant cybersecurity vulnerability for organizations around the world.

Using the technique known as parameter pollution, where repetitive parameters are placed in links or forms, Ethiack researchers found they could inject malicious JavaScript into users’ browsers in most test cases.

Despite thorough testing within controlled environments, the study identified several vulnerabilities that cybercriminals might exploit to steal sensitive information from companies with well-secured WAFs.

Key Findings of Ethiack’s Recent Study

The official press release states that in 70.6% of cases, the study’s ethical hackers managed to bypass WAFs using parameter pollution methods. Only three out of twelve WAFs consistently blocked all tested attack scenarios.

Furthermore, Ethiack’s AI-powered hackbot helped identify additional bypasses, increasing the overall penetration rate across 17 configurations to 94%. Without parameter pollution, the success rate was just 17.6%, which rose to 70.6% with the use of their methodology.

These results underscore that even properly configured WAFs are not guaranteed protection. Small changes in request parameters can evade filters, highlighting the necessity for continuous and offensive security testing.