Study: Almost all popular firewalls miss XSS attacks

Security researcher Mazin Ahmed (Mazin Ahmed) has published the results of analyzing ways to circumvent XSS protection in popular Web application firewalls (WAF).

Ahmed used several virtual machines running popular browsers like Google Chrome, Opera, Mozilla Firefox and Internet Explorer.
')
Researcher studied commercial and open products: F5 Big IP, Imperva Incapsula, AQTRONIX WebKnight, PHP-IDS, Mod-Security, Sucuri, QuickDefence, Barracuda WAF. For each product, at least one XSS-vector was presented, allowing to perform a protection round.

Incorrect handling of JS events

A number of well-known firewalls skipped the “onwheel” and “onshow” JS events — they allow you to execute a malicious script while scrolling with the mouse and when the menu item is displayed, respectively. In particular, F5 Big IP, Barracuda WAF were exposed to this error.

Quick Defense was also unable to detect the introduction of malicious code using the JS events “onsearch” and “ontoggle”.

Dual URL Coding and JS-F ** K

Using a double URL coding, as well as a technique called JS-F ** K (allows you to represent any JS code using a set of 6 characters), the researcher circumvented XSS filters of several WAFs at once. Imperva Incapsula, F5 Big IP (this WAF has four different bypasses), Mod-Security, PHP-IDS were subject to this bypass.

Other vulnerabilities

In addition, the PHP-IDS rules contained an error that allowed an attacker to bypass filters using the svg tag. But Sucuri WAF did not take into account the possibility of a seven-bit presentation of data in the us-ascii encoding, which is perceived by Internet Explorer 6 and 7:

¼script¾alert(¢xss¢)¼/script¾

A detailed description of all rounds presented in the study .

The researcher transmitted information about detected security errors to the developers of all the firewalls involved in the study. Most of them have already released patches or will fix bugs in the next version of the product, the answer was not only from the PHP-IDS development team.

And what about us

We checked the PT Application Firewall (PT AF) self-learning firewall for exposure described by Ahmed bypasses. Consider three possible scenarios for the operation of our protection.

(1) The trained system blocks such attacks, regarding them as abnormal requests to the application:



(2) Attacks similar to the examples in the PDF document are blocked by regular expressions:



(3) If the user's input data somehow bypassed all the PT AF protection mechanisms and met in the server response, then they will be screened in the context of the HTML page:



PS
If the theme of WAF is close to you, join the PT Application Firewall development team -
habrahabr.ru/company/pt/blog/266415