Research Finds 94% of Web Application Firewalls Can Be Bypassed with AI Hackbots

Research by ethical hacking platform Ethiack has found that 94% of web application firewalls (WAFs) can be bypassed using a technique called parameter pollution, revealing a significant blind spot in how organisations secure their web applications.

The study combined manual testing with Ethiack's AI-driven offensive security agent to explore scenarios capable of evading even well-tuned WAFs. Without parameter pollution, the bypass success rate was 17.6%, but this jumped to 70.6% using Ethiack's methodology and reached 94% when AI hackbots explored additional variations.

Research Findings

By repeating the same parameter in a link or form, researchers were able to inject malicious JavaScript into users' browsers in the majority of test cases. Only three out of 12 WAFs consistently blocked all three manually designed attack scenarios.

"WAFs are a key building block in every organisation's cyber defences, but they can't work miracles on their own," said Bruno Mendes, Head of Hacking at Ethiack and author of the study. "Small differences in how requests are interpreted by applications and firewalls can slip through blocking patterns and open the door to attacks."

Continuous Testing

The findings confirm that even properly configured WAFs are not foolproof, with small variations in requests capable of bypassing filters. The research suggests that cybersecurity validation cannot be a one-off exercise.

"WAFs will continue to play a role as a barrier to attackers, but they are no substitute for secure code or regular testing," added Mendes. "Tools like ours help IT teams detect real vulnerabilities continuously, prioritise and fix them before they can be exploited."

Ethiack, founded in Portugal in 2022, is a World Summit Award winner recognised by the United Nations for outstanding digital innovation.

To find out more, visit: ethiack.com