Skip to main content

Cloud based WAF against cyber attacks?

Target :
Alexa Global Rank : 427
Rank in India : 31
I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best.
Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF?
Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed.
These factors evolves a new business model  "Cloud Based WAF"
Why Cloud based WAF?
  • Easy to afford
  • Mitigate risks onto third party
  • Easy to maintain
  • Compliance & Governance

Hmm......Sounds very promising with the money back guarantee, 10$ per month can be cheaper than a pizza :)
This could be the best weapon for small and medium size businesses to fight against all the web based attacks.

That's what one of the biggest Indian news organization "" thought and they mitigated their web-related risks onto a cloud based WAF.
I was just randomly browsing through the website for news, suddenly I thought of testing it against XSS. All I did was, checked for some input field and found a "Search Bar" which is very common in any news site. Next thing was to check whether this input field accepts malicious characters or not so that I can perform an XSS or in other words can insert a script that can further exploit the site.
As a result I noticed, application was carefully taking care of all the input characters and hence encoded and sanitized all malicious characters that I have input.
Being patient I checked for another input parameter so that to exploit it with an XSS, then while crawling the page I have realized that they have regional columns with the sub-domains. After carefully analyzing other sub domains with the input fields, I came to a and I tested it with some malicious string which landed me onto a new page as below :
Oops! Hit a WAF, I realized that this application is running behind Sucuri WAF. I thought to myself that it would be difficult to bypass it as there is a WAF in front. So I wanted to test with some more benign inputs, just to check how the WAF will behave and I just searched for "unharmful which can bypass WAF and I can also check where it landed into the page, the result was as follows : 

I can clearly see that my input has broke the context as well as bypassed the WAF. This clearly means that it is vulnerable to XSS but as the service is behind the WAF so I assumed that they mitigated the risk onto WAF. So now all I had to think of was a complex attack vector that can bypass the WAF as well can exploit the vulnerability in the site. But in order to check the behaviour of WAF, I started with the simplest attack vector which is onmouseoever=alert(1), of course giving respect to the syntax and the result was as follow : 



Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…


DOM When  a web page is loaded, browser creates a Document Object Model. It is a platform and language-neutral interface that allows scripts to dynamically access and update the content, structure, and style of a document.
DOM-Based XSS : It is a Cross-Site-Scripting attack wherein the attack payload is executed as a result of modifying DOM environment in the victim’s browser used by itself. The important thing to consider here that the HTTP response does not change but the client side code in the page behaves differently because of the malicious code injected by the attacker. Note: DOM XSS can be executed in Chrome, therefore if you would like to repeat the steps mentioned below, it is recommended to use chrome browser. Firefox has an inbuilt protection against DOM-Based XSS therefore DOM attacks might not work in Firefox. Few Findings in Wild Target : Global Rank : 81 Rank in US: 55 If you open and go to their privacy policy, you might notice th…

Why not a GDPR for India?

Why not a GDPR for India?
After the recent scandal from Cambridge Analytica, millions of people are concerned over the privacy of their data and so are the Indians. India, one of the biggest markets of Facebook is most exciting market for such companies to test their concepts on artificial intelligence and machine learning. Cheap internet, wide adoption of smartphones and a huge young population totally unaware of the consequences of using the unsafe internet has set the internet product companies to exploit high-value Intel and data generated from India in a much easier way. I will start today with where does India stand in the world of “world wide web or internet” usage. Below are some figures on the number of internet user in millions globally.

Number of Internet users in millions
As the data shows, India stands second in terms of the number of Internet users and it’s increasing at a very rapid rate. Though I must mention that at the moment, India has one of the lowest internet penetr…