Security Experts:

Connect with us

Hi, what are you looking for?



Web Application Firewalls Tested Against XSS Attacks

A researcher has conducted experiments to test some of the most popular web application firewalls (WAF) and see how efficient they are in protecting against cross-site scripting (XSS) attacks.

A researcher has conducted experiments to test some of the most popular web application firewalls (WAF) and see how efficient they are in protecting against cross-site scripting (XSS) attacks.

A WAF is an appliance, a plugin or a filter that applies a set of rules to web communications in an effort to block common types of attacks, such as SQL injection and XSS. However, UAE-based security researcher Mazin Ahmed has attempted to demonstrate that many WAFs, including open source and commercial products, have weaknesses that could be exploited by malicious actors.

Ahmed published a paper last week detailing XSS filter evasion tests made on F5 Networks’ Big-IP, Incapsula’s WAF, AQTRONIX WebKnight, PHP-IDS, Trustwave’s ModSecurity, Sucuri’s WAF, QuickDefence, and Barracuda’s WAF.

The expert claims he has managed to bypass all of the tested web application firewalls. While some of the vendors whose products have been checked have improved their products based on this research, others have disputed Ahmed’s findings.

The researcher used various techniques to bypass XSS filters in WAFs. In some cases he claims to have completed the task within five minutes, while in other cases it took him nearly an hour. Some of the methods he attempted didn’t work on every client-side environment of the tested product, Ahmed noted.

Sucuri, whose WAF performed very well, with only one highly impractical evasion method discovered by the researcher, welcomed the effort. The company told SecurityWeek that it has made some improvements to its product based on the expert’s findings.

Barracuda Networks has also confirmed the accuracy of the report. The company said it addressed both bypass methods disclosed by the expert with patches delivered in August.

AQTRONIX also patched the issues disclosed by the researcher with the release of WebKnight 4.2 on July 1.

“We even made a small donation towards Mazin Ahmed for his excellent work. We hope he continues researching WAF solutions for improving everyone’s security and privacy. Our solution is open source and we invite all hackers around the world to test our software. We give donations for confirmed security issues with WebKnight,” AQTRONIX said via email.

The expert says F5 Networks has also made some improvements to its XSS filter in the latest version of its product.

Others disputed the researcher’s findings. Jaydeep Dave, a developer of QuickDefence, told SecurityWeek that they encourage customers to write their own rules based on their needs. Dave claims Ahmed has only managed to bypass a sample rule provided to customers as reference.

Mark Kraynak, chief product officer at Imperva, the company that owns Incapsula, says the Incapsula WAF cannot be evaded via the methods described by the researcher.

“We are aware of Mazin Ahmed’s research. Our security team has been in touch with him regarding his results. While we appreciate security researchers looking to make sure our WAF is as secure as it can be, we don’t agree with many of Mr. Ahmed’s observations,” Kraynak told SecurityWeek.

Mario Heiderich, director of Berlin-based penetration testing firm Cure53 and former PHP-IDS developer, believes that Ahmed’s allegations in the case of PHP-IDS are inaccurate.

Heiderich has also criticized the research paper in general, arguing that it often describes absurd attack scenarios without providing numbers, statistics and provable facts.

“What is true is that some WAFs were nicely and cleanly bypassed using interesting element-event combinations and others by avoiding indicator strings such as ‘alert()’,” Heiderich said via email. “But further true is also, that if the web application protected by the WAF makes dramatic and unlikely changes to the user input between the WAF having checked it and the data being used, then resulting detection flaws are very likely. That however is not new, neither does this fact constitute as a bypass but rather a weakness by design almost every WAF is plagued with.”

Responding to criticism, Ahmed pointed out that his goal was to show that WAFs can be bypassed and that the best way to defend against attacks is by fixing the vulnerability in the first place.

“Using web-application firewalls will not protect from attacks and breaches, but it may force attackers to spend additional time in the exploitation process,” he said.

*Updated with statement from AQTRONIX

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet