Comments on: VIDEO: web application firewall bypass with a XSS attack http://www.acunetix.com/blog/news/web-application-firewall-bypass-xss-attack/ Acunetix Web Application Security Blog Fri, 10 Feb 2012 07:58:15 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Greg Howe http://www.acunetix.com/blog/news/web-application-firewall-bypass-xss-attack/#comment-6013 Greg Howe Wed, 09 Jun 2010 14:58:06 +0000 http://www.acunetix.com/blog/?p=1596#comment-6013 Another case of developers (in this case at the web app firewall vendor) not encoding output to the screen. They trusted the input and spit it back out. XSS is an old attack and easy to thwart. This goes to show that even security-conscious folks don't yet have a complete grasp of the size of the battlefield. Encode EVERY output. Anything that goes to screen, log files, event logs, whatever. You don't know how they will be used. There are lots of log file readers that display the data to the screen. Encode it first. Great video, nice job showing how it works and getting people in the loop about the issue. I hope we will see more of this and more professional developers will shore up their code! Another case of developers (in this case at the web app firewall vendor) not encoding output to the screen. They trusted the input and spit it back out. XSS is an old attack and easy to thwart.

This goes to show that even security-conscious folks don’t yet have a complete grasp of the size of the battlefield. Encode EVERY output. Anything that goes to screen, log files, event logs, whatever. You don’t know how they will be used. There are lots of log file readers that display the data to the screen. Encode it first.

Great video, nice job showing how it works and getting people in the loop about the issue. I hope we will see more of this and more professional developers will shore up their code!

]]> By: ………..und der Admin hyperventilierte » Blog Archive » Die besten, interessantesten, wichtigsten und unterhaltsamsten Artikel aus der Security-Branche. http://www.acunetix.com/blog/news/web-application-firewall-bypass-xss-attack/#comment-5997 ………..und der Admin hyperventilierte » Blog Archive » Die besten, interessantesten, wichtigsten und unterhaltsamsten Artikel aus der Security-Branche. Mon, 07 Jun 2010 15:53:38 +0000 http://www.acunetix.com/blog/?p=1596#comment-5997 [...] web application firewall bypass with a XSS attack – acunetix.com Video-Demonstration zur Aushebelung von dotDefender….. [...] [...] web application firewall bypass with a XSS attack – acunetix.com Video-Demonstration zur Aushebelung von dotDefender….. [...]

]]> By: Week 22 in Review – 2010 | Infosec Events http://www.acunetix.com/blog/news/web-application-firewall-bypass-xss-attack/#comment-5996 Week 22 in Review – 2010 | Infosec Events Mon, 07 Jun 2010 06:50:38 +0000 http://www.acunetix.com/blog/?p=1596#comment-5996 [...] web application firewall bypass with a XSS attack – acunetix.com In the following demo video, Sandro Gauci of EnableSecurity shows how an attacker can switch off dotDefender in order to bypass any “protection” offered by the WAF.   [...] [...] web application firewall bypass with a XSS attack – acunetix.com In the following demo video, Sandro Gauci of EnableSecurity shows how an attacker can switch off dotDefender in order to bypass any “protection” offered by the WAF.   [...]

]]> By: Paul http://www.acunetix.com/blog/news/web-application-firewall-bypass-xss-attack/#comment-5987 Paul Wed, 02 Jun 2010 10:52:17 +0000 http://www.acunetix.com/blog/?p=1596#comment-5987 Great video and another good bit of information from Acunetix. I use your web scanner and recommend it to all my customers and also run tests on any websites that I build. Thanks and keep up the great work :) Great video and another good bit of information from Acunetix. I use your web scanner and recommend it to all my customers and also run tests on any websites that I build. Thanks and keep up the great work :)

]]> By: Web application firewall bypass with a XSS attack | SkemTech Blog http://www.acunetix.com/blog/news/web-application-firewall-bypass-xss-attack/#comment-5981 Web application firewall bypass with a XSS attack | SkemTech Blog Tue, 01 Jun 2010 19:20:35 +0000 http://www.acunetix.com/blog/?p=1596#comment-5981 [...] info and video demo: http://www.acunetix.com Tags: checking-out, doors, dotdefender, from-the-below, having-secure, sandro-gauci, [...] [...] info and video demo: http://www.acunetix.com Tags: checking-out, doors, dotdefender, from-the-below, having-secure, sandro-gauci, [...]

]]>