Security Experts:

Web Application Firewalls Tested Against XSS Attacks

A researcher has conducted experiments to test some of the most popular web application firewalls (WAF) and see how efficient they are in protecting against cross-site scripting (XSS) attacks.

A WAF is an appliance, a plugin or a filter that applies a set of rules to web communications in an effort to block common types of attacks, such as SQL injection and XSS. However, UAE-based security researcher Mazin Ahmed has attempted to demonstrate that many WAFs, including open source and commercial products, have weaknesses that could be exploited by malicious actors.

Ahmed published a paper last week detailing XSS filter evasion tests made on F5 Networks’ Big-IP, Incapsula’s WAF, AQTRONIX WebKnight, PHP-IDS, Trustwave’s ModSecurity, Sucuri’s WAF, QuickDefence, and Barracuda’s WAF.

The expert claims he has managed to bypass all of the tested web application firewalls. While some of the vendors whose products have been checked have improved their products based on this research, others have disputed Ahmed’s findings.

The researcher used various techniques to bypass XSS filters in WAFs. In some cases he claims to have completed the task within five minutes, while in other cases it took him nearly an hour. Some of the methods he attempted didn’t work on every client-side environment of the tested product, Ahmed noted.

Sucuri, whose WAF performed very well, with only one highly impractical evasion method discovered by the researcher, welcomed the effort. The company told SecurityWeek that it has made some improvements to its product based on the expert’s findings.

Barracuda Networks has also confirmed the accuracy of the report. The company said it addressed both bypass methods disclosed by the expert with patches delivered in August.

AQTRONIX also patched the issues disclosed by the researcher with the release of WebKnight 4.2 on July 1.

"We even made a small donation towards Mazin Ahmed for his excellent work. We hope he continues researching WAF solutions for improving everyone's security and privacy. Our solution is open source and we invite all hackers around the world to test our software. We give donations for confirmed security issues with WebKnight," AQTRONIX said via email.

The expert says F5 Networks has also made some improvements to its XSS filter in the latest version of its product.

Others disputed the researcher’s findings. Jaydeep Dave, a developer of QuickDefence, told SecurityWeek that they encourage customers to write their own rules based on their needs. Dave claims Ahmed has only managed to bypass a sample rule provided to customers as reference.

Mark Kraynak, chief product officer at Imperva, the company that owns Incapsula, says the Incapsula WAF cannot be evaded via the methods described by the researcher.

“We are aware of Mazin Ahmed’s research. Our security team has been in touch with him regarding his results. While we appreciate security researchers looking to make sure our WAF is as secure as it can be, we don’t agree with many of Mr. Ahmed’s observations,” Kraynak told SecurityWeek.

Mario Heiderich, director of Berlin-based penetration testing firm Cure53 and former PHP-IDS developer, believes that Ahmed’s allegations in the case of PHP-IDS are inaccurate.

Heiderich has also criticized the research paper in general, arguing that it often describes absurd attack scenarios without providing numbers, statistics and provable facts.

“What is true is that some WAFs were nicely and cleanly bypassed using interesting element-event combinations and others by avoiding indicator strings such as ‘alert()’,” Heiderich said via email. “But further true is also, that if the web application protected by the WAF makes dramatic and unlikely changes to the user input between the WAF having checked it and the data being used, then resulting detection flaws are very likely. That however is not new, neither does this fact constitute as a bypass but rather a weakness by design almost every WAF is plagued with.”

Responding to criticism, Ahmed pointed out that his goal was to show that WAFs can be bypassed and that the best way to defend against attacks is by fixing the vulnerability in the first place.

“Using web-application firewalls will not protect from attacks and breaches, but it may force attackers to spend additional time in the exploitation process,” he said.

*Updated with statement from AQTRONIX

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.