Web Application Firewalls (WAFs) are an excellent last line of defense. Based on what I see in my testing they’re great at blocking both automated scans and granular exploits like Cross-Site Scripting and SQL injection. I recommend WAFs to clients all the time. But…there’s more to the story.
Introduction On April 11th 2011, at nine in the evening, Barracuda Networks posted a grim entry on their blog. Their network had been hacked. Thousands of their confidential customer and employee records were stolen. In an ironic twist of fate, the company that advocates security through it’s own Web Application Firewall were victims to the […]
In the following demo video, Sandro Gauci of EnableSecurity shows how an attacker can switch off dotDefender in order to bypass any “protection” offered by the WAF. Such attack is possible By exploiting a cross-site scripting vulnerability in the log viewer facility of the dotDefender admin interface. Watch the video below for a more in […]
Unfortunately, security scans are frequently launched against a website or web application sitting behind a web application firewall, or some other kind of web security gateway device. A website audit performed for a website through a “man in the middle” device or software, will only give a false sense of security. First and most importantly of […]
In eval($WAF); whitepaper, L. Nothdurfter, W.Neudorfer and M. Kirchner from the University of Applied Sciences Upper Austria, explain in detail how they evaluated the capabilities of some leading WAF’s (web application firewalls), and concluded that although a WAF can raise the security level, secure development and operation of web applications should be of top priority. […]
As demonstrated during an OWASP Europe 2009 presentation, WAF’s (web application firewalls) also have vulnerabilities. Sandro Gauci (founder and CSO for EnableSecurity) and Wendel Henrique (member of SpiderLabs) showed how an attacker can easily identify and bypass several well known web application firewalls using XSS (Cross site scripting) attacks, the same types of exploits WAF’s […]
Unlike web application firewalls, Acunetix Web Vulnerability Scanner focuses on fixing web security problems, whether than preventing them from happening. Acunetix WVS helps in detecting cross site scripting, sql injections and other web vulnerabilities before the web application is exposed on the internet, during its development cycle. When implementing a web application firewall, only PCI […]