In Black Hat 2009 I had the honor of personally meeting @sirdarckcat (Eduardo Vela, leader of Google Project Zero) who gave a presentation titled “Our favorite XSS filters and how to attack them“. In his presentation he managed to bypass every single popular Web Application Firewall that was in the market at that time and he said it was a piece of cake.
My conclusion of his talk was that all Web Application Firewalls (WAFs) were practically useless at that time due to the tremendous ease in which they can be bypassed.
Now, more than ten years later, I decided to evaluate the security of many popular WAFs to see their evolution and how robust they’ve become over time. The conclusion is that most of them are still extremely vulnerable to very lethal attacks. They are very easy to bypass so the degree of protection they offer is very low; I broke each WAF in around 1 minute.
I decided to publish the bypasses because it is actually funny how bad these filters are.
The WAFs that I tested are:
- Amazon Web Services WAF
- Cisco Secure WAF
- Cloudflare Web Application Firewall
- Citrix Netscaler
- F5 BIG-IP Advanced WAF
- Fortinet’s Fortiweb WAF
- Akamai Web Application Firewall
- Sophos Firewall
- Incapsula Imperva
- Broadcom
- Radware
Click on more to see the bypasses: