title: WAF is a curse
author: depierre
published: 2015-02-21
categories: Security
keywords: security, waf, xss, html5
Until I write something about the [OWASP Winter Code Sprint](https://www.owasp.org/index.php/Winter_Code_Sprint) I did
last semester, I want to share a quick thought here:
> WAF won't protect you if your application is vulnerable, it is solely a bonus!
# WAF?
A Web Application Firewall protects your applications by monitoring the traffic and dropping the obvious attacks before
they reach their targets.
For instance, it is known to be useful against automated attacks or well-known JavaScript injections. Even more, it becomes
handy when deploying a virtual patch very fast for vulnerabilities like
[Shellshock](https://en.wikipedia.org/wiki/Shellshock_(software_bug)) for instance.
But it is not a standalone solution at all! **You still need to assert the security of your application first!**
# Lame
If your application does nothing regarding the security aspect, you are assuming that the WAF will never fail. **That
is absurd of course** since you can see new kind of data injections popping almost every weeks on the Internet. Your
WAF won't detect them until its rules are updated or until it is smart enough to derive new rules by itself when
watching the traffic.
Another aspect to consider is the overhead. You could configure your WAF to monitor everything for every URLs but that
will require an important overhead so most of the time, it tries to be smart when analyzing the payloads.
Why am I stating the obvious about WAFs? Well because I saw that specific case not long time ago!
Someone asked to have her web application be pen-tested. During the assessment, I was almost 100% sure that there was
an XSS injection but because of the WAF she was using, I couldn't have a proper JavaScript injection and it made me a
little bit sad.
We asked her if it was possible to deactivate the WAF just for the gig. **It was obvious that our objective was to test
the application, not the WAF!** She answered, with nice words and a small touch of politic, to go fuck ourselves :/
# Won't save you
First I tried to use some basic payloads such as ``">`` or ``" onmouseover="alert(1)`` but
each time I had **404 errors because the WAF was blocking the requests**. That was frustrating mostly because if I
could have had a working payload, it would have meant that I had found a XSS in each and every pages of the application
(which sounded really nice to me).
Then I spoke with my comrade to seek his help because XSS isn't my specialty (What is it by the way? Still have no
idea). He told me that **WAFs, in general, were mostly aimed at JavaScript rather than HTML5**. Then he sent me a
**[nice resource](https://html5sec.org)** which gathers a bunch of HTML5-specific XSS payloads.
Guess what? Using almost the first payload listed there gave me a fully working XSS.
Indeed, using ``">`` **was not detected by her WAF**. Nice bonus, the payload does not
require any user interaction.
From the behavior I saw, it seems that the WAF was running deeper tests on the parameters but not the whole URL. It
seems smart (think overhead) because how could some junks in the URL affect your application if they are not in
parameters?
Well, it tried to be smart but it failed really hard here!
# Conclusion
When asking for a pen-test on your brandy new application, please deactivate your WAF, otherwise the assessment report
cannot be trusted because **the WAF obfuscates the root problems...**