Monday, December 27, 2010

Profense Web Application Firewall and Load Balancer multiple vulnerabilities

Advisory

Joint Trustwave's SpiderLabs Security Advisory TWSL2009-001 and
EnableSecurity Advisory ES-20090500: Profense Web Application Firewall
and Load Balancer multiple vulnerabilities
Published: 2009-05-19 Version: 1.0


https://www.trustwave.com/spiderlabs/advisories/TWSL2009-001.txt




Analysis


We noted that researchers from Trustwave and EnableSecurity were able to bypass the protection of
Profense Web Application Firewall.
The following words caught our attention:
  1. "Inserting extra characters in the JavaScript close tag" </script ByPass>)
  2. "pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate. by making use of a URL-encoded new line character" (Logic Flaw)
Sample exploits that bypass the defense:


xss.php?var=abcdef%3Cembed%3Eaaaaaaa%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E
xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass
 
 
Check
  
It's necessary to test web application firewalls with various payloads by transforming existing known attack vectors into various encoding formats and forms.
It's not enough to try payloads straightly from available XSS Cheatsheets:
- http://ha.ckers.org/xss.html#XSS_Extraneous open brackets
- http://ha.ckers.org/xss.html#XSS_Embeded_newline
 


 

No comments:

Post a Comment