- Ethiack recently tested 17 different WAF settings from the main suppliers
- As the complexity of useful loads increased, the success rate of Omar Waf increased dramatically
- Even the most sophisticated WAF could be defeated with relatively simple useful loads
Web Application Firewalls (WAF) are not as resistant as organizations were taken to assume, they can often be overlooked to inject a malicious JavaScript code, experts warned.
Ethiack security researchers recently tested 17 WAF configurations different from the main suppliers to see how successful they are to block the malicious useful loads.
The in -depth report focused on real world penetration test against Asp.net Applications protected by a highly restrictive WAF. However, despite the Firewall configuration, the researchers discovered that they could abuse vulnerabilities of cross -site command sequences (XSS) through a technique called HTTP parameter pollution.
Parameter analysis in isolation
This method abuses how different web frames handle multiple parameters with the same name, often concatenating them so that they can be manipulated to inject a malicious javascript code.
Ethiack said that as the complexity of useful loads increased, the success rate of Omar Waf increased dramatically. For simple injections, they had a success rate of 17.6%, increasing to more than 70% for advanced “parameter contamination” techniques.
Even WAF based on automatic learning, which are designed to detect new threats, were vulnerable to subtle analysis tricks and obfuscation, said. But Ethiack’s most surprising discovery was that even the most sophisticated WAF could be defeated with relatively simple useful loads.
The problem with WAFS seems to analyze the parameters in isolation, trusting largely in the coincidence of patterns.
As a result, they are blind to the nuanced forms that web applications analyze and interpret the entrance. For example, Asp.net concatena duplicate parameters with commas, and JavaScript treats expressions separated by commas as a valid executable code.
When preparing useful charges that divide the malicious code into multiple parameters, researchers could avoid detection and execute JavaScript in the browser.
“This finding highlighted a critical vulnerability in basic security strategies: organizations can invest in expensive WAF technologies while remaining vulnerable to attacks that exploit the basic implementation gaps or configuration supervision,” the researchers concluded.
“This reminds us that Wafs should not be used as a solution for the root problems of the insecure code.”
