Bad news - your web firewall may definitely not be as resilient as you may have thought

• Ethiack recently tested 17 different WAF configurations from major vendors
• As the complexity of the payloads increased, the success rate of bypassing WAFs rose dramatically
• Even the most sophisticated WAFs could be defeated with relatively simple payloads

Web Application Firewalls (WAF) are not as resilient as organizations were led to assume, and can often be bypassed to inject malicious JavaScript code, experts have warned.

Security researchers Ethiack recently tested 17 different WAF configurations from major vendors to see how successful they are at blocking malicious payloads.

The in-depth report centered on a real-world penetration test against ASP.NET applications protected by a highly restrictive WAF. However, despite the firewall’s configuration, the researchers discovered they could abuse cross-site scripting (XSS) vulnerabilities through a technique called HTTP parameter pollution.