WAF Defense in Crisis? NSFOCUS Locks Down “Ghost Bits” Attacks in Advance

Key Points:

• Ghost Bits attacks exploit encoding flaws in the Java ecosystem, allowing attackers to bypass WAF/IDS defenses by manipulating input semantics.
• The vulnerabilities can lead to severe impacts including SQL injection, RCE, file upload bypass, and HTTP request smuggling across various frameworks, with a critical severity rating for many exploits.
• Implementing fixed UTF-8 encoding, input normalization, parameterized queries, code audits for high-risk patterns, and reducing network exposure are recommended mitigations.

Technical Details: Ghost Bits attacks leverage silent high-bit truncation in Java's character encoding. Attackers replace critical ASCII characters with Unicode characters that appear harmless to front-end defenses but are restored to malicious payloads on the backend.

MITRE ATT&CK Techniques:

• T1190 - Exploit Public-Facing Application (Initial Access)
• T1203 - User Execution (Execution)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)

IOCs Mentioned: None mentioned.