In Black Hat 2009 I had the honor of personally meeting @sirdarckcat (Eduardo Vela, leader of Google Project Zero) who gave a presentation titled "Our favorite XSS filters and how to attack them". In his presentation he managed to bypass every single popular Web Application Firewall that was in the market at that time and he said it had been a piece of cake.
The conclusion of his talk was that all Web Application Firewalls (WAFs) were practically useless at that time due to the tremendous ease in which they could be bypassed.
Now, more than ten years later, I decided to evaluate the security of many popular WAFs to see their evolution and how robust they've become over time. The conclusion is that most of them are still extremely vulnerable. They are very easy to bypass so the degree of protection they offer is very low; I broke each WAF in around 5 minutes.
I decided to publish the bypasses because it is actually funny how bad these filters are.
The WAFs that I tested are:
- Amazon Web Services WAF
- Cisco Secure WAF
- Cloudflare Web Application Firewall
- Citrix Netscaler
- F5 BIG-IP Advanced WAF
- Fortinet's Fortiweb WAF
- Akamai Web Application Firewall
- Sophos Firewall
- Incapsula Imperva
- Broadcom
Click on more to see the bypasses: