50 Shades of WAF - Exemplified at Barracuda & Sucuri

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 19, 2015, 4:50 p.m. (50 minutes).

This talk will present 50 (25*2) bypasses of Barracuda and Sucuri's WAF default signatures that deal with Cross-Site Scripting (XSS). 150,000 organizations worldwide including Fortune 1000 companies are using Barracuda while around 10,000 web applications are behind Sucuri's cloud-based WAF. The XSS bypasses we will present in this talk are also applicable to other WAFs. All bypasses were responsibly reported to the vendors and most of them were fixed. Further, we will show XSS in Barracuda's admin interface and in their web application. Finally, we will present one unfixed bypass of Barracuda and Sucuri and will see how quickly vendors will react to fix it, given it will make thousands of sites vulnerable.

Presenters:

• Ashar Javed - Hyundai AutoEver Europe GmbH
  Ashar Javed is a web security researcher and pentester. His PhD thesis (under submission) from Ruhr University Bochum, Germany is about Cross-Site Scripting. He has been listed 11 times in Googles Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke at the main security events like Black Hat, Hack in the Box, OWASP Spain, RSA Europe (OWASP Seminar), SAP product security conference, ISACA Ireland and DeepSec.

Links:

• https://deepsec.net/archive/2015.deepsec.net/speaker.html#PSLOT213
• https://infocon.org/cons/DeepSec/DeepSec 2015/50 Shades of WAF Exemplified at Barracuda & Sucuri - Ashar Javed.mp4
• https://infocon.org/cons/DeepSec/DeepSec 2015/50 Shades of WAF Exemplified at Barracuda & Sucuri - Ashar Javed.srt (subtitles)

Similar Presentations:

• Black Hat USA 2014 / Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering
• CircleCityCon 8.0 (2021) Virtual / My AWS WAF Deployment Odyssey
• Black Hat Asia 2015 / Client-Side Protection Against DOM-Based XSS Done Right (tm)