Sangram's Cyber Chronicles

Home Blog Blog Single

How I Managed to Bypass Burger King's WAF and Inject SQL Using Order ID

In the world of web security, finding vulnerabilities within a web application is a rewarding yet challenging process. Recently, I had the opportunity to test the security of Burger King's online ordering system. During my penetration testing, I was able to bypass their Web Application Firewall (WAF) and discovered a critical SQL injection vulnerability using their order ID.

Bypassing WAF

SQL injection is a technique where an attacker can manipulate an SQL query by injecting malicious code into the input fields or URL parameters. This can allow attackers to retrieve, modify, or delete data from the backend database. I suspected that the order ID parameter might be vulnerable to SQL injection, so I began testing it with various payloads.

First, I injected a simple single quote (`'`) into the order ID field, which is a common test for SQL injection. To my surprise, the system didn’t show any errors, but it did return unexpected results that hinted at the possibility of an underlying vulnerability.

Next, I tried more sophisticated SQL injection payloads like:

' OR 1=1 --

This payload is used to bypass login mechanisms and can sometimes trick the database into returning all records by altering the SQL query logic. I sent this payload through the order ID parameter, and it triggered unexpected database responses that confirmed the presence of SQL injection.

Bypassing the WAF

Burger King's WAF was designed to block typical SQL injection attempts by filtering out certain special characters and keywords (like `OR`, `1=1`, `--`, etc.). However, as is often the case, WAFs can be bypassed by using encoding or obfuscation techniques. I employed a few strategies to evade the WAF’s detection, including:

  • URL Encoding: I encoded the payload into URL format to bypass character filters. For example, the payload `' OR 1=1 --` would be encoded as `%27%20OR%201%3D1%20--`.
  • Comment Obfuscation: I injected SQL comments in various formats to mask parts of the payload, making it harder for the WAF to detect.

With these techniques, I successfully bypassed the WAF, allowing the malicious SQL query to reach the backend server and execute.

Exploiting the Vulnerability

Once I bypassed the WAF, I was able to inject the SQL query and retrieve data from the backend database. For example, by modifying the payload to:

' UNION SELECT username, password FROM users --

This query would allow me to extract sensitive information from the users' table in the database. The vulnerability gave me unauthorized access to the backend, allowing me to interact with data that should have been protected.

However, I did not exploit the vulnerability further. Instead, I immediately reported it to Burger King’s security team through their responsible disclosure program.

The Reward: Rs 2500 in Burger King Tokens

After reporting the vulnerability, Burger King responded quickly, acknowledging the issue and thanking me for my responsible disclosure. As a token of appreciation for helping to secure their platform, they rewarded me with Rs 2500 worth of Burger King tokens.

While the reward was appreciated, the real satisfaction came from knowing that my discovery would help make their platform safer for customers.

Key Takeaways

  • SQL Injection Is Still a Threat: Despite the presence of a WAF, SQL injection remains a powerful attack vector. Always sanitize user inputs and use prepared statements to prevent such attacks.
  • WAFs Can Be Bypassed: Security measures like WAFs are important, but they aren’t foolproof. Bypassing WAFs often requires creative thinking and knowledge of evasion techniques.
  • Responsible Disclosure Is Crucial: Reporting vulnerabilities responsibly is essential for the safety of users. It also allows ethical hackers to contribute positively to the cybersecurity ecosystem.
  • Persistence Pays Off: Identifying and exploiting vulnerabilities takes patience. My persistence in testing various inputs and payloads eventually led to the discovery of this SQL injection vulnerability.

Conclusion

Bypassing Burger King's WAF and exploiting the SQL injection vulnerability via the order ID was an exciting yet eye-opening experience. It highlighted both the strengths and limitations of security systems and reinforced the importance of continuous testing and improvement.

As penetration testers, our role is not just to identify vulnerabilities but also to help organizations strengthen their defenses. Thanks to my work, Burger King was able to patch this vulnerability, ensuring a safer experience for its users.

This journey was an important reminder of why ethical hacking and responsible bug disclosure are crucial in the fight to make the web a safer place for everyone.

Life Sport Tech Travel

Categories

Recent Blog

Reporting a Critical SQLi Bug in a Government Website

10 Free Tools to Practice Ethical Hacking as a Beginner

How I Managed to Bypass Burger King's WAF and Inject SQL Using Order ID

Popular Topics

About Us

At Cybknow, we are dedicated to providing top-notch cybersecurity services, training, and resources. Our team works tirelessly to help individuals and organizations stay ahead of emerging cyber threats through ethical hacking, penetration testing, and vulnerability research. Join us in enhancing security awareness and building a safer digital world.