A new attack method has been discovered that could allow hackers to bypass several popular web application firewalls (WAFs) and access critical corporate and consumer information. Online application firewalls are an important line of defense for filtering, monitoring, and blocking HTTP(S) traffic to and from a web application, and for protecting against attacks such as cross-site forging, cross-site scripting (XSS), file inclusion, and SQL injection. The new method involves attaching JSON syntax to SQL injection payloads that a WAF is unable to interpret. This allows the attacker to bypass the WAF and access the target environment. WAFs from providers such as Amazon Web Services (AWS), Cloudflare, F5, Imperva, and Palo Alto Networks were all vulnerable to this attack method, but have since released patches to fix the issue.