November 07, 2013

Incapsula Pen-Test – Part Deux!

IStock_000011598938SmallIn 2013, we have been fortunate enough to receive a lot of positive attention for Incapsula product line.  In addition major news coverage garnered by stopping one of the internet’s largest unamplified DDoS attacks, and being ranked by TopTenReviews as the #1 DDoS mitigation service in head-to-head bake off against 9 of our competitors, Incapsula has recently passed a 3rd party pen test with flying colors.

Last week, a new and comprehensive WAF pentest was published, comparing Incapsula’s WAF to CloudFlare’s new Rule-based WAF, the analysis can be downloaded here

The effort was made by Zero Science Lab, who also conducted the last penetration test comparison back in February this year. Zero Science Lab decided to run a “Round 2” penetration test after CloudFlare announced the launch of a new Rule-based WAF in August.  

Excerpts from Zero Science Lab’s Conclusion:

“From the results tables, we can see that Incapsula's WAF continues to have an advantage over CloudFlare's WAF. We should also mention that only Incapsula's WAF is PCI-Certified, which is an advantage for certain types of online businesses.

While CloudFlare's new WAF solution showed substantial improvement since the first penetration test, it still does not provide the comprehensive level of security against certain types of web application attacks (e.g., SQL injection, Remote File Inclusion) that many online businesses today require.

We noticed the high block ratio of XSS attacks, but from all the types of attacks, main focus was on Cross-Site Scripting. The SQL Injection, Local and Remote File Inclusion, and Remote Code/Command Execution attacks had very low detection rate by the CloudFlare WAF.

Incapsula, on the other hand, has shown consistent security performance in both tests, with a high block ratio and few false-positives.”

It was also great to see that our the Incapsula fingerprinting engine triumphed:

"What’s also important to note is that Incapsula can recognize an ongoing attack and block attacker's session. We specifically noticed this during the test using automated tools such as ZAP and Burp. Their blocking mechanism seems to be based on recognizing the fingerprint of the tool being used, so even if you try to trick it by changing the default User-Agent or manipulating other header fields, the WAF will still block your session. We didn't notice such mechanism on CloudFlare's WAF. CloudFlare blocks a session only if an attacker tries to manipulate and send invalid headers"

Our Followup

We have worked through the findings of this report, and patched and adapted to the tests that originally went through. The Incapsula cloud WAF now stops all vectors specified. 



Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.