Profense Web Application Firewall and Load Balancer multiple vulnerabilities
Advisory
Joint Trustwave's SpiderLabs Security Advisory TWSL2009-001 and
EnableSecurity Advisory ES-20090500: Profense Web Application Firewall
and Load Balancer multiple vulnerabilities
Published: 2009-05-19 Version: 1.0
https://www.trustwave.com/spiderlabs/advisories/TWSL2009-001.txt
Analysis
We noted that researchers from Trustwave and EnableSecurity were able to bypass the protection of
Profense Web Application Firewall.
The following words caught our attention:
Sample exploits that bypass the defense:
"Inserting extra characters in the JavaScript close tag" </script ByPass>)
- "pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate. by making use of a URL-encoded new line character" (Logic Flaw)
xss.php?var=abcdef%3Cembed%3Eaaaaaaa%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E
xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass
Check
It's necessary to test web application firewalls with various payloads by transforming existing known attack vectors into various encoding formats and forms.
It's not enough to try payloads straightly from available XSS Cheatsheets:
- http://ha.ckers.org/xss.html#XSS_Extraneous open brackets
- http://ha.ckers.org/xss.html#XSS_Embeded_newline
Comments
Post a Comment