Are There Holes in Your Web Application Firewall?

Posted: September 17th, 2015
Filed under: Port 80 News, Web and Application Security
Tags: , , , , ,

Last week, The Port80 Software team took a leisurely stroll through /r/NetSec  on Reddit and found a very interesting post. It linked to a paper about vulnerabilities found in popular commercial Web Application Firewall (WAF) products. The findings within and their ramifications for ServerDefender VP are worth reading about for anyone who has an interest in data security.

Evading Web Application Firewall XSS Filters

In his paper, Mazin Ahmed writes:

“Due to the increasing use of Web-Application Firewalls, I conducted a research on all well known Web-Application Firewalls to check their efficiency in protecting against cross-site scripting attacks. The motive behind this research was to confirm that there is no effective way to protect against a vulnerability other than fixing its root cause. The tests were conducted against popular Web-Application Firewalls, such as F5 Big IP, Imperva Incapsula, AQTRONIX WebKnight, PHP-IDS, Mod-Security, Sucuri, QuickDefense, Barracuda WAF, and they were all evaded within the research.”

After reading through the research and running some checks on its validity, we had some  burning questions in our minds:

  • What does this mean for those of us who rely on WAFs?
  • How about those of us who trust ServerDefenderVP?

Here’s what you need to know.

A Quick Refresher on WAFs and XSS

A web application firewall (WAF), as the name implies is a Firewall that can take on several forms. It can be an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.  These rules protect against common threats, such as cross-site scripting (XSS), SQL injection (SQLI), and other web-application related vulnerabilities. “XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application uses input from a user within the output it generates. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site”[1].

My WAF has holes in it! Help!

holes in wall for holes in a web application firewall

Without getting into the specifics, Mr. Ahmed’s research indicated that all of the WAF’s he tested could be exploited by using Cross-Site Scripting attacks. Ironically, a WAF should be able to defend against these attacks. Some of the scripts he used were old or uncommon. As a result, they were able to bypass the WAFs he tested. As Mr. Ahmed writes, the toughest exploit he found took him approximately half an hour to find. This is fairly troubling news. However, fortunately for the NetSec community, this research has been published after the necessary manufacturers were notified and given time to patch their products.

How Well Does ServerDefender Defend?

server defender logo

The answer may surprise you! (Just kidding). We decided to try some of Mr. Ahmed’s well-documented exploits on ServerDefender VP 2.2.6 to see if it would break.

SDVP screenshot means it is working

We were pleased to find that the exploits were greeted with everyone’s favorite “Are you Trying to Hack Us?” error page and logged appropriately as XSS.

From there, we decided to take things a step further and run these exploits past our super secret, not even announced, still in development NEW VERSION of ServerDefender, and were greeted with the same results.

However, we weren’t satisfied with a simple victory. We wanted to know for sure that our product could withstand the same stringent testing that other WAF’s went through. So we went directly to the source and contacted Mr. Ahmed to see if he would put ServerDefender through the trial.

The Result?

Our invitation to Mr. Ahmed to test ServerDefenderVP was accepted! We will keep you posted as we receive word on his research efforts.

In the meantime, if you are interested in putting ServerDefender VP through your own testing, please, get your free 30 day trial of SDVP and give it a try. We’d love to hear your thoughts on it.

No Comments »

Leave a Reply