Study and Analysis of Web Application Firewall Blacklist Evasion

Issue: Vol.8 No.2

Authors:

Shrey Sethi (Manav Rachna International University, Faridabad)

Vidushi Singhal (Manav Rachna International University, Faridabad)

Keywords: Cross-Site Scripting, Vulnerability, Security, Web Application, WAF, Cookies, Firewall

Abstract:

Cross-Site Scripting (XSS) Vulnerability is a kind of security flaw commonly found in web applications. In this study our main objective is to bypass WAF. We have tried different malicious and custom payload to bypass WAFS. It is caused by vulnerable coding, which is not sanitize user input.

Download PDF

References:

[1] Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager , Petko D. Petkov, "XSS Exploits: Cross Site Scripting Attacks and Defense", Syngress Publishing, Burlington, MA, May 2007

[2] Omar Ismail, Masashi Etoh, YoukiKadobayashi, and Suguru Yamaguchi, "A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability", in Proceedings of the 18th International Conference on Advanced Information Networking and Application (AINA04), Japan, pp. 145-151, March 2004.

[3] Joel Scambray and Mike Shema, "Hacking Exposed Web Applications", Chapter 13 - Case Studies, McGraw-Hill/Osborne, California, U.S.A, 2002.

[4] JochenTopf, "The HTML Form Protocol Attack", http://www.remote.org/ jochen/sec/hfpa/hfpa.pdf.

[5] Common Vulnerabilities and Exposures, "The Standard for Information Security Vulnerability Names", http://cve.mitre.org/, last accessed May 24, 2007.

[6] Slackers forum, "Vulnerable Sites Information Posted By Hackers",  http://sla.ckers.org/forum/read.php?3,44,632

[7] Gupta, S., Sharma , L., Gupta, M., & Gupta, S. (2012). Prevention of Cross-Site Scripting Vulnerabilities using Dynamic Hash Generation Technique on the Server Side. International Journal of Advanced Computer Research, 2(5), Start Page- 49. (2008). (Acunetix) Retrieved from http://www.acunetix.com

[8] http://www.emis.de/journals/IJOPCM/files/IJOPCM(Vol.1.2.2.S.08).pdf

[9] http://webblaze.cs.berkeley.edu/papers/empiricalwebfwks.pdf

[10] https://www.ijarcsse.com/docs/papers/Volume_6/6_June2016/V6I6-0160.pdf

[11] https://en.wikipedia.org/wiki/Cross-site_scripting

[12] https://www.acunetix.com/websitesecurity/cross-sitescripting/

[13] http://www.acunetix.com/websitesecurity/xss/

[14] https://msdn.microsoft.com/en-us/library/ee810614(v=cs.20).aspx

[15] http://www.cgisecurity.com/xss-faq.html

[16] https://www.dionach.com/blog/the-real-impact-of-crosssite-scripting

[17] https://snyk.io/blog/marked-xss-vulnerability/

[18] https://www.acunetix.com/websitesecurity/cross-sitescripting/

[19] http://ijarcet.org/wp-content/uploads/IJARCET-VOL-3-ISSUE-11-4035-4039.pdf

[20] http://w2spconf.com/2010/papers/p12.pdf

[21] https://www.rroij.com/open-access/defending-against-webvulnerabilities-and-crosssite-scripting-61-64.pdf

[22] http://seclab.cs.sunysb.edu/seclab/pubs/xss.pdf

[23] http://la.trendmicro.com/media/misc/html5-attackscenarios-research-paper-en.pd