Skip to main content

Cloud based WAF against cyber attacks?

Target : www.bhaskar.com
Alexa Global Rank : 427
Rank in India : 31
I deal with Web Application Firewalls in my daily operations and I got to know some more in the market out of which everyone claims that they are the best.
Every time we talk about web application firewalls, one basic question arises, can we completely mitigate all the web related risks onto a WAF?
Another question that arises in my mind is, can small and medium size businesses afford to have an in-house WAF for all their applications, I think NOT as it requires some investment, continuous maintenance and continuous WAF operations, moreover awareness about the Security, which is mostly missed.
These factors evolves a new business model  "Cloud Based WAF"
Why Cloud based WAF?
  • Easy to afford
  • Mitigate risks onto third party
  • Easy to maintain
  • Compliance & Governance

sucuri_wafpng
Source: https://sucuri.net/website-firewall/signup 
Hmm......Sounds very promising with the money back guarantee, 10$ per month can be cheaper than a pizza :)
This could be the best weapon for small and medium size businesses to fight against all the web based attacks.
That's what one of the biggest Indian news organization "www.bhaskar.com" thought and they mitigated their web-related risks onto a cloud based WAF.
I was just randomly browsing through the website for news, suddenly I thought of testing it against XSS. All I did was, checked for some input field and found a "Search Bar" which is very common in any news site. Next thing was to check whether this input field accepts malicious characters or not so that I can perform an XSS or in other words can insert a script that can further exploit the site.
screenshot2015-08-08at163132png
As a result I noticed, application was carefully taking care of all the input characters and hence encoded and sanitized all malicious characters that I have input.
Being patient I checked for another input parameter so that to exploit it with an XSS, then while crawling the page I have realized that they have regional columns with the sub-domains. After carefully analyzing other sub domains with the input fields, I came to a http://divyamarathi.bhaskar.com/search/?q= and I tested it with some malicious string which landed me onto a new page as below :
bhaskharpng
Oops! Hit a WAF, I realized that this application is running behind Sucuri WAF. I thought to myself that it would be difficult to bypass it as there is a WAF in front. So I wanted to test with some more benign inputs, just to check how the WAF will behave and I just searched for "unharmful which can bypass WAF and I can also check where it landed into the page, the result was as follows : 

bhaskar_sourcepng
I can clearly see that my input has broke the context as well as bypassed the WAF. This clearly means that it is vulnerable to XSS but as the service is behind the WAF so I assumed that they mitigated the risk onto WAF. So now all I had to think of was a complex attack vector that can bypass the WAF as well can exploit the vulnerability in the site. But in order to check the behaviour of WAF, I started with the simplest attack vector which is onmouseoever=alert(1), of course giving respect to the syntax and the result was as follow : 


screenshot2015-07-16at195152png

Comments

Post a Comment

Popular posts from this blog

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Securit
Post a Comment
Read more

My experience with Bug Bounties

My experience with Bug Bounties I wanted to polish my pentest skills and bug bounties are certainly a way where you get to know already hardened real world applications. On the one hand you get to know some new state of art security systems like various kinds of WAF and you can continuously learn to penetrate them. On the other hand once you start digging  into  the application you get to know about the perspective of different mind set of the developers, how do they mitigate a problem that further gives you a better understanding of mitigating a single problem with different perspectives. Last but not least, you can make some extra perks. Following the same path, I started to check for Bug Bounties and I came across a platform called  Firebounty  which keeps you updated about the newest bug bounties in market out of many other such platform. After crawling through many potential services, I have found one that has raised interest in me called  www.algolia.com , who’s main bu
Post a Comment
Read more

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services. To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows:
Post a Comment
Read more