Skip to main content

Cloud based WAF against cyber attacks?

Target : www.bhaskar.com
Alexa Global Rank : 427
Rank in India : 31
I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best.
Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF?
Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed.
These factors evolves a new business model  "Cloud Based WAF"
Why Cloud based WAF?
  • Easy to afford
  • Mitigate risks onto third party
  • Easy to maintain
  • Compliance & Governance

sucuri_wafpng
Source: https://sucuri.net/website-firewall/signup 
Hmm......Sounds very promising with the money back guarantee, 10$ per month can be cheaper than a pizza :)
This could be the best weapon for small and medium size businesses to fight against all the web based attacks.

That's what one of the biggest Indian news organization "www.bhaskar.com" thought and they mitigated their web-related risks onto a cloud based WAF.
I was just randomly browsing through the website for news, suddenly I thought of testing it against XSS. All I did was, checked for some input field and found a "Search Bar" which is very common in any news site. Next thing was to check whether this input field accepts malicious characters or not so that I can perform an XSS or in other words can insert a script that can further exploit the site.
screenshot2015-08-08at163132png
As a result I noticed, application was carefully taking care of all the input characters and hence encoded and sanitized all malicious characters that I have input.
Being patient I checked for another input parameter so that to exploit it with an XSS, then while crawling the page I have realized that they have regional columns with the sub-domains. After carefully analyzing other sub domains with the input fields, I came to a http://divyamarathi.bhaskar.com/search/?q= and I tested it with some malicious string which landed me onto a new page as below :
bhaskharpng
Oops! Hit a WAF, I realized that this application is running behind Sucuri WAF. I thought to myself that it would be difficult to bypass it as there is a WAF in front. So I wanted to test with some more benign inputs, just to check how the WAF will behave and I just searched for "unharmful which can bypass WAF and I can also check where it landed into the page, the result was as follows : 

bhaskar_sourcepng
I can clearly see that my input has broke the context as well as bypassed the WAF. This clearly means that it is vulnerable to XSS but as the service is behind the WAF so I assumed that they mitigated the risk onto WAF. So now all I had to think of was a complex attack vector that can bypass the WAF as well can exploit the vulnerability in the site. But in order to check the behaviour of WAF, I started with the simplest attack vector which is onmouseoever=alert(1), of course giving respect to the syntax and the result was as follow : 


screenshot2015-07-16at195152png

Comments

Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…