web application firewall bypass with a XSS attack
In the following demo video, Sandro Gauci of EnableSecurity shows how an attacker can switch off dotDefender in order to bypass any “protection” offered by the WAF. Such attack is possible By exploiting a cross-site scripting vulnerability in the log viewer facility of the dotDefender admin interface. Watch the video below for a more in depth explanation of the attack. From the below video one can also learn and understand the importance of having secure web applications, especially if they are to be accessed by trusted administrators. As we’ve seen, while the administrator is doing his job (checking out the log files) a vulnerability is exploited and without knowing, he opens the doors for hackers!
The full advisory is available from the following URL;http://resources.enablesecurity.com/advisories/ES-20100601-dotdefender4.txt
[...] info and video demo: http://www.acunetix.com Tags: checking-out, doors, dotdefender, from-the-below, having-secure, sandro-gauci, [...]
Great video and another good bit of information from Acunetix. I use your web scanner and recommend it to all my customers and also run tests on any websites that I build. Thanks and keep up the great work
[...] web application firewall bypass with a XSS attack – acunetix.com In the following demo video, Sandro Gauci of EnableSecurity shows how an attacker can switch off dotDefender in order to bypass any “protection” offered by the WAF. [...]
[...] web application firewall bypass with a XSS attack – acunetix.com Video-Demonstration zur Aushebelung von dotDefender….. [...]
Another case of developers (in this case at the web app firewall vendor) not encoding output to the screen. They trusted the input and spit it back out. XSS is an old attack and easy to thwart.
This goes to show that even security-conscious folks don’t yet have a complete grasp of the size of the battlefield. Encode EVERY output. Anything that goes to screen, log files, event logs, whatever. You don’t know how they will be used. There are lots of log file readers that display the data to the screen. Encode it first.
Great video, nice job showing how it works and getting people in the loop about the issue. I hope we will see more of this and more professional developers will shore up their code!