You are here

XSS Filter Test - "Evading All Web-Application Firewall XSS Filters"

xss, deny rule, filter

We have recently studied the results of the research paper "Evading All Web-Application Firewalls XSS Filters" [1] from Mazin Ahmed, an Information Security Specialist and Penetration Tester.

According to the paper, the XSS filter of eight reviewed WAF products could be bypassed using different obfuscation and filter evasion methods. Most products were affected by two or more bypassing techniques.

We are happy to announce that Airlock WAF 5.3 blocks all relevant1 test strings (about 12) including substring variants. Blocking the test strings does not even require enabling the strongest filter sets. Setting Airlock WAF's filter security to level "Standard" is sufficient.

The filtering in Airlock WAF consists of a multi-layered rule engine based on context-sensitive rules. These rules cover generic attack vectors and therefore provide very strong security while ensuring a minimal false positive rate. This allows protection against both known and unknown attacks.

Foot notes
1) One test string is not blocked. However, we assess the probability of successfully exploiting the corresponding attack vector as very low. The attack requires IE6/IE7 browsers in combination with applications making uncommon or missing declaration of the content-type. In addition, attackers must be able to control the first bytes of the response. Blocking access for ancient, unsupported browsers is a recommended security measure and worthwhile in any event.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required