EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Nytro · March 18, 2016

1. Abstract

Due to the increasing use of Web-Application Firewalls, I conducted a research on all wellknown Web-Application Firewalls to check their efficiency in protecting against cross-site scripting attacks. The motive behind this research was to confirm that there is no effective way to protect against a vulnerability other than fixing its root cause. The tests were conducted against popular Web-Application Firewalls, such as F5 Big IP, Imperva Incapsula, AQTRONIX WebKnight, PHP-IDS, Mod-Security, Sucuri, QuickDefense, Barracuda WAF, and they were all evaded within the research.

2. Introduction

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Usually, those rules protect against common threats, such as cross-site scripting (XSS), SQL injection (SQLI), and other common web-application related vulnerabilities. In my tests, I focused on finding methods to bypass WAFs protection against cross-site scripting vulnerabilities. "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site"[1].

Download: https://www.exploit-db.com/docs/38117.pdf