Blog|Login|中文Deutsche日本語
October 04, 2013
 Score sheet: Testing Some XSS Evasion Techniques Against Our WAF
Pin It

IStock_000016474569SmallA couple of months ago ModSecurity (SpiderLabs) issued an “XSS Evasion Challenge” where they actively asked security experts and hackers to try and bypass their own XSS filters. This is a blessed initiative by a security company, to go and find loopholes in their engines in order to improve on their security posture.

The exercise included two main challenges:

  • Evading the ModSecurity WAF regex (CRS)
  • Evading client side protection “sandbox”

Per the challenge results, ModSecurity filters were updated to add the logic that is required to block these evasion techniques.

With security in mind, we were interested in checking the evasion techniques against our SecureSphere WAF its default configuration. Here are the results:

Evasion Technique #1: - “Nul Bytes” – Blocked out of the box.

Xss1

Evasion Technique #2: Sandbox Evasion (MentalJS) – Blocked out of the box.

Xss2

Bottom line – We were able to block both evasion techniques out of the box. Our customers are protected.

We also agree with SpiderLabs’s conclusions:

  • Blacklisting attacks with signatures is not enough. We agree. Part of the reason that IPS/NGFW and manually configured WAF solutions don’t solve web application attacks is that they rely on blacklists.  Effective protection against application attacks requires a positive security model to understand how the application works. See our Blog on “What the IPS Didn’t See”.
  • SpiderLabs say that Regular Expression matching (Signatures) is not enough. We agree. Imperva’s Technology does not rely on RegExp matching alone, but also incorporates smart engines that are able to understand the attack’s logic.

 

 


Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« Trend Watch – DDoS: “We Need a Bigger Boat” | Main | Threat Advisory: A vBulletin Exploit, Administrator Injection. »

Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Authors
Monthly Archives
Email Subscription
Sign up here to receive our blog: