Sucuri WAF XSS Filter Bypass

Introduction

Sucuri Cloud Proxy is a very well known WAF capable of preventing DOS, SQL Injection, XSS and malware detection and prevention. It acts as a reverse proxy which means that all the traffic sent to an application behind Sucuri WAF would be first sent to Sucuri’s network which (based upon it’s signature database) would check if a particular request is legitimate or not, if it’s legitimate it would let it reach the application otherwise it would blocked.

Due to the fact that Sucuri’s Cloud proxy utilizes a Blacklist based protection to prevent application layer attacks, it caught my interest as it has been proven time after time that blacklist based protection is insufficient when attempting to block application layer attacks specifically Cross site scripting, as there are countless ways javaScript could be encoded/represented to bypass the protection and thereby it’s very difficult to construct a filter that is capable of blocking all possible combinations while yielding minimum false positives. An example would be Mod Security, they have a Strong XSS filter, However it generates a lot of false positives and in most cases it blocks normal/harmless text.

Example #1

As you can see fr that a completely harmless text triggers an alert, as the regular expression is checking for any thing before and after “src” attribute. 

Example 2 


Notice that in this case as well we have a valid and completly harmless text being considered as an XSS attack vector.

Sucuri XSS Filter

Let’s get to the main topic, In this post i would be revealing one of the many bypasses i found for sucuri’s XSS filter. The full bypass works with user interaction, however given that you follow the given methodology you would easily be able to construct a bypass that does not require user interaction.

As per the following link Sucuri’s cloud proxy has a built in XSS filter capable of detection and blocking XSS attempts. “Our CloudProxy firewall does protect your site against XSS script injections if you want to prevent them from ever being used to compromise your site“. So I decided to test the effectiveness, however due to absence of testbed i had to attempt it on a live website. So let’s get started.

Methodology

The following is the methodology I utilize when i am up against any WAF:

i) Brute Force (Throwing random payloads and known bypasses for other filters to see if they are able to bypass the filter)
ii) Regex Reversing (The rules are reverse engineered to see what is allowed vs what is not allowed to construct a bypass)
iii) Browser Bugs (When (i) and (ii) fails, I go with browser specific bugs such as charset inheritance, RPO etc and other quirks)

For bypassing Sucuri the second methodology was utilized i.e. Regular expression reversing.

Initial Tests – Brute Force 

I made initial tests with tons of different vectors, however i quickly figured out that Brute forcing would not be the way to go about bypassing this filter.




– IE