Skip to main content

Cloud based WAF against cyber attacks?

Target : www.bhaskar.com
Alexa Global Rank : 427
Rank in India : 31
I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best.
Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF?
Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed.
These factors evolves a new business model  "Cloud Based WAF"
Why Cloud based WAF?
  • Easy to afford
  • Mitigate risks onto third party
  • Easy to maintain
  • Compliance & Governance

sucuri_wafpng
Source: https://sucuri.net/website-firewall/signup 
Hmm......Sounds very promising with the money back guarantee, 10$ per month can be cheaper than a pizza :)
This could be the best weapon for small and medium size businesses to fight against all the web based attacks.
That's what one of the biggest Indian news organization "www.bhaskar.com" thought and they mitigated their web-related risks onto a cloud based WAF.
I was just randomly browsing through the website for news, suddenly I thought of testing it against XSS. All I did was, checked for some input field and found a "Search Bar" which is very common in any news site. Next thing was to check whether this input field accepts malicious characters or not so that I can perform an XSS or in other words can insert a script that can further exploit the site.
screenshot2015-08-08at163132png
As a result I noticed, application was carefully taking care of all the input characters and hence encoded and sanitized all malicious characters that I have input.
Being patient I checked for another input parameter so that to exploit it with an XSS, then while crawling the page I have realized that they have regional columns with the sub-domains. After carefully analyzing other sub domains with the input fields, I came to a http://divyamarathi.bhaskar.com/search/?q= and I tested it with some malicious string which landed me onto a new page as below :
bhaskharpng
Oops! Hit a WAF, I realized that this application is running behind Sucuri WAF. I thought to myself that it would be difficult to bypass it as there is a WAF in front. So I wanted to test with some more benign inputs, just to check how the WAF will behave and I just searched for "unharmful which can bypass WAF and I can also check where it landed into the page, the result was as follows : 

bhaskar_sourcepng
I can clearly see that my input has broke the context as well as bypassed the WAF. This clearly means that it is vulnerable to XSS but as the service is behind the WAF so I assumed that they mitigated the risk onto WAF. So now all I had to think of was a complex attack vector that can bypass the WAF as well can exploit the vulnerability in the site. But in order to check the behaviour of WAF, I started with the simplest attack vector which is onmouseoever=alert(1), of course giving respect to the syntax and the result was as follow : 


screenshot2015-07-16at195152png

Comments

Post a Comment

Popular posts from this blog

Splunk - Adding a lookup

These days many companies started using Splunk for security monitoring and the only thing I can say is “it is worth it”.   Splunk can significantly reduce the work load, just imagine that you are operating more than 20 Security Solutions which generated tons of logs and you have to identify an attack and of course react in a prompt fashion. I can certainly recommend Splunk for such scenarios. Of course everything comes at a cost and Splunk is definitely not a cheap product.   I am now using Splunk for past 3 years but still from time to time I need to google some stuff to fix my issues and many a times I had to spend a bit too much time even though the Splunk community is very strong. May be I was not looking into the right direction and perhaps I was too naive to understand what others were talking. Therefore with the medium of my blog, I will share some useful information for all the splunk users. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
Post a Comment
Read more

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do...
Post a Comment
Read more