CyberSecurityBoard
Sponsor Register Login

New WAFFLED Attack Exploits AWS, Azure, Cloud Armor, Cloudflare, and ModSecurity WAFs

By mutating innocuous elements such as boundary delimiters in multipart/form-data, character sets in application/json, or namespace features in application/xml, the attack convinces a WAF that a request is benign while the downstream web framework faithfully reconstructs and executes the embedded exploit code. The researchers validated 1,207 unique bypasses across AWS WAF, Azure WAF, Google Cloud Armor, Cloudflare WAF, and ModSecurity, confirming that every mainstream parsing model could be fooled in at least one configuration. WAFFLED exploits parsing differences between WAFs and applications to bypass security filters. In this cut-down proof-of-concept, Cloudflare’s parser stops at the first fake boundary, sees only harmless data, and forwards the request. WAFFLED reminds defenders that security devices must not only look at every byte but also agree on what each byte means. Flask, however, honors the RFC 2231 parameter continuation, concatenates the real boundary, and dutifully executes the XSS payload. AWS WAF’s stricter parser escaped the test suite unscathed, underscoring that meticulous RFC compliance is an effective—if performance-intensive defense.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 09:05:19 +0000


Cyber News related to New WAFFLED Attack Exploits AWS, Azure, Cloud Armor, Cloudflare, and ModSecurity WAFs

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
New WAFFLED Attack Exploits AWS, Azure, Cloud Armor, Cloudflare, and ModSecurity WAFs - By mutating innocuous elements such as boundary delimiters in multipart/form-data, character sets in application/json, or namespace features in application/xml, the attack convinces a WAF that a request is benign while the downstream web framework ...
1 week ago Cybersecuritynews.com
CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent - CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor. These accomplishments demonstrate our ...
1 year ago Crowdstrike.com
25 Best Cloud Service Providers (Public and Private) in 2025 - Oracle Cloud offers a variety of services, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS), to help organizations build, deploy, and run applications in the cloud. Oracle Cloud is a cloud ...
2 months ago Cybersecuritynews.com
Multi-Cloud vs. Hybrid Cloud: The Main Difference - The proliferation of cloud technologies is particularly confusing to businesses new to cloud adoption, and they're sometimes baffled by the distinction between multi-cloud and hybrid cloud. Although the public cloud infrastructure and public cloud ...
1 year ago Techtarget.com
Comprehensive Cloud Monitoring Platforms: Ensuring - Platforms for comprehensive cloud monitoring come into play in this situation. In this article, we will explore the significance of comprehensive cloud monitoring platforms and delve into some leading solutions available in the market today. ...
1 year ago Feeds.dzone.com
Cloudflare discloses breach related to stolen Okta data - Last fall, Cloudflare announced it mitigated an attempted cyberattack stemming from the infamous Okta breach. Cloudflare disclosed in a blog post that it had been breached by an unnamed nation-state threat actor using an access token and three ...
1 year ago Techtarget.com
What is a Cloud Architect and How Do You Become One? - A cloud architect is an IT professional who is responsible for overseeing a company's cloud computing strategy. This includes cloud adoption plans, cloud application design, and cloud management and monitoring. Cloud architects oversee application ...
1 year ago Techtarget.com
GCP to AWS migration: A Comprehensive Guide - Embarking on a GCP to AWS migration journey can be both exciting and challenging. Before we dive into the technical details, let's explore why businesses might consider migrating from GCP to AWS. While GCP offers a range of services, AWS boasts an ...
1 year ago Feeds.dzone.com
The 10 Best Cloud Security Certifications for IT Pros in 2024 - Many professionals seeking a career in cloud security turn to certifications to advance their learning and prove.... their knowledge to potential employers. The number of cloud security certifications has increased in recent years making it difficult ...
1 year ago Techtarget.com
2023 Cloud Security Report - Security concerns remain a critical barrier to cloud adoption, showing little signs of improvement in the perception of cloud security professionals. Cloud adoption is further inhibited by a number of related challenges that prevent the faster and ...
1 year ago Cybersecurity-insiders.com
Five business use cases for evaluating Azure Virtual WAN security solutions - To help organizations who are evaluating security solutions to protect their Virtual WAN deployments, this article considers five business use cases and explains how Check Point enhances and complements Azure security with its best-of-breed, ...
1 year ago Blog.checkpoint.com
What is Azure Identity Protection and 7 Steps to a Seamless Setup - As a result, tools such as Microsoft's Azure Identity Protection have become a staple in protecting against compromised identities, account takeover, and misuse of privileges. Azure Identity Protection is a security service that provides a robust ...
1 year ago Securityboulevard.com
CVE-2025-6087 - A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy ...
1 month ago
Cloud Security: Stats and Strategies - An interesting aspect in O'Reilly's latest Cloud Adoption report based on a global survey conducted is that 90% of the responders are using the cloud to support their business. One of the key takeaways from the State of the Cloud report from Flexera ...
1 year ago Feeds.dzone.com
The Invisible Storm: Why Cloud Malware Is Your Business's New WeatherEmergency - Protecting your business from cloud malware requires a fundamental shift in security thinking, as traditional defenses simply weren’t designed for these sophisticated airborne threats. Recent research by Cloud Storage Security identified ...
2 months ago Cybersecuritynews.com
Cloudflare Dashboard and APIs down after data center power outage - An ongoing Cloudflare outage has taken down many of its products, including the company's dashboard and related application programming interfaces customers use to manage and read service configurations. The complete list of services whose ...
1 year ago Bleepingcomputer.com
Shaping the Future of Finance: The Cisco and AWS Collaboration in EMEA - The collaboration between Cisco and Amazon Web Services in the Europe, Middle East, and Africa region-combining each company's market leading strengths-continues to deliver impressive outcomes for our customers, notably within the Financial Services ...
1 year ago Feedpress.me
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
9 months ago Aws.amazon.com
Top Cloud Security Issues: Threats, Risks, Challenges & Solutions - Cloud security issues refer to the threats, risks, and challenges in the cloud environment. To combat these cloud security issues, develop a robust cloud security strategy that addresses all three to provide comprehensive protection. Cloud security ...
1 year ago Esecurityplanet.com
6 Best Cloud Security Companies & Vendors in 2024 - Cloud security companies specialize in protecting cloud-based assets, data, and applications against cyberattacks. To help you choose, we've analyzed a range of cybersecurity companies offering cloud security products and threat protection services. ...
1 year ago Esecurityplanet.com
Cloud Penetration Testing Checklist - 2023 - Check the Service Level Agreement and make sure that proper policy has been covered between the Cloud service provider (CSP) and Client. Cloud penetration testing focuses on identifying and exploiting vulnerabilities in cloud environments, ensuring ...
9 months ago Gbhackers.com
What Is Cloud Security Management? Types & Strategies - Cloud security management is the process of safeguarding cloud data and operations from attacks and vulnerabilities through a set of cloud strategies, tools, and practices. The cloud security manager and the IT team are generally responsible for ...
1 year ago Esecurityplanet.com
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
4 weeks ago Cybersecuritynews.com
7 Considerations for Multi-Cluster Kubernetes - A hybrid cloud is a cloud computing environment that combines public and private clouds, allowing organizations to utilize the benefits of both. In a hybrid cloud, an organization can store and process critical data and applications in its private ...
1 year ago Feeds.dzone.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)