Web Application Firewalls Tested Against XSS Attacks

September 15, 2015


A researcher has conducted experiments to some of the most popular () and see how efficient they are in protecting against cross-site scripting (XSS) attacks.

A WAF is an appliance, a plugin or a filter that applies a set of rules to web communications in an effort to block common types of attacks, such as SQL injection and XSS. However, UAE-based security researcher Mazin Ahmed has attempted to demonstrate that many WAFs, including open source and commercial products, have weaknesses that could be exploited by malicious actors.

Ahmed published a paper last week detailing XSS filter evasion tests made on F5 Networks’ Big-IP, Incapsula’s WAF, AQTRONIX WebKnight, PHP-IDS, Trustwave’s ModSecurity, Sucuri’s WAF, QuickDefence, and Barracuda’s WAF.

Read More