Evading All Web-Application Firewalls XSS Filters- 1 min
During recent months, I was working on research that proves that all web-application firewalls do not protect against attacks as expected. The research focuses on evading the XSS filters of all popular Web-Application Firewalls, such as F5 Big IP, Imperva Incapsula, AQTRONIX WebKnight, PHP-IDS, Mod-Security, Sucuri, QuickDefense, Barracuda WAF, and they were all evaded within the research.
After evading the products, I have worked with vendors to patch all the discovered issues. The research should have been published in July 2015, but as a supporter of the responsible disclosure concept, I waited for companies to patch the bypasses and to get the final responses from them.
The research is meant for educational uses only, and should not be used in performing malicious actions. I am not responsible for any malicious actions that is done using the information in the research.
The research is ready to be shared with the public. You can find the links to download a copy of the paper below.
- Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools
- Attacking Modern Environments Series: Attack Vectors on Terraform Environments
- Interview With the AppSec Podcast: Terraform Security
- tfquery: Run SQL queries on your Terraform infrastructure
- DDoS is not Dead: Building a Scalable DDoS Framework