A couple of months ago ModSecurity (SpiderLabs) issued an “XSS Evasion Challenge” where they actively asked security experts and hackers to try and bypass their own XSS filters. This is a blessed initiative by a security company, to go and find loopholes in their engines in order to improve on their security posture.
The exercise included two main challenges:
- Evading the ModSecurity WAF regex (CRS)
- Evading client side protection “sandbox”
Per the challenge results, ModSecurity filters were updated to add the logic that is required to block these evasion techniques.
With security in mind, we were interested in checking the evasion techniques against Imperva WAF its default configuration. Imperva blocked both evasion techniques out of the box. Our customers are protected.
We also agree with SpiderLabs’s conclusions:
- Blacklisting attacks with signatures is not enough. We agree. Part of the reason that IPS/NGFW and manually configured WAF solutions don’t solve web application attacks is that they rely on blacklists. Effective protection against application attacks requires a positive security model to understand how the application works. See our Blog on “What the IPS Didn’t See”.
- SpiderLabs say that Regular Expression matching (Signatures) is not enough. We agree. Imperva does not rely on RegExp matching alone, but also incorporates smart engines that are able to understand the attack’s logic.
Try Imperva for Free
Protect your business for 30 days on Imperva.