Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[DeepSec 2015]50 Shades of WAF


50 Shades of WAF – Exemplified at Barracuda & Sucuri
Ashar Javed (Hyundai AutoEver Europe GmbH)

This talk will present 50 (25*2) bypasses of Barracuda and Sucuri’s WAF default signatures that deal with Cross-Site Scripting (XSS). 150,000 organizations worldwide including Fortune 1000 companies are using Barracuda while around 10,000 web applications are behind Sucuri’s cloud-based WAF. The XSS bypasses we will present in this talk are also applicable to other WAFs. All bypasses were responsibly reported to the vendors and most of them were fixed. Further, we will show XSS in Barracuda’s admin interface and in their web application. Finally, we will present one unfixed bypass of Barracuda and Sucuri and will see how quickly vendors will react to fix it, given it will make thousands of sites vulnerable.


150,000 organizations use Barracuda Networks technology.

Over 10 months during 2014/2015 Barracuda had 7 updates of their ruleset, none of which included XSS. 6 months after that, they released 5 updates and 1 firmware patch that included fixes for XSS issues. Updating is hard, meaning there are a lot of WAFs out there that are letting XSS attacks through.

How to detect Barracuda… if you see this message, then you’re looking at Barracuda:

The specified URL cannot be found

After testing the regular expressions used to detect XSS, their was a number of XSS discovered.

Event Handlers

4 separate regexes handling event handlers.

Large number of event handlers missing, and the ones in the regex are hard-coded (for logging and tracking purposes).

  • ontoggle
  • onsearch
  • onlaungaugechange
  • oncuechange
  • ondragexit

Moving to a more generic event handler detection e.g. on(.*) would catch these.

However, even if the event handler was detected it was bypassable. However the logic didn’t allow for backtick (`) which is supported in some browsers. It was also possible to bypass by injecting a newline between the equals and quotes (onclick=%0A”stuff”). This was due to the use of “.” in the regex, which matches anything except a newline.

meta tags where also treated differently, resulting in a number of ways of bypassing the filters. The same issues existed in a number of html tags.

Some other issues that cause bypasses:

  • Tags < 10 chars
  • Tags alphanumeric
  • Tags are closed properly
  • Data URI JS injection (resulted in multiple issues)
  • expression

All these Regexes work together to detect issues. However these are not always turned on. They need to activated, and whitelisting specific checks may have a knock-on effect in other areas where mutliple regexes are needed for detection.

Constant tweaks to the payload and complexity of the regexes results in false positives. The knock-on effect of this is disabling of protections, which lowers overall the level of security.

Some of the bypasses effected the BarracudaNetworks.com login page and stored XSS in their main admin interface.

Takeaway: Updated to 1.102 version and apply the firmware patch 8.0.1


Cloud-based WAF… priced cheaper than a takeaway pizza.

Sucuri offers a bug bounty (through HackerOne) on bypasses.

A large number of bypasses using encoding, backticks, unclosed tags, VBscript…

Blocked all onmouse*, onkey*, and many many more. Blacklists are a zero sum game.

Blocking of script tags appeared work well, however <script%2fsrc was a workable bypass technique. There’s always new bypasses, and almost an endless way to bypass the protections given enough time.


WAFs are not the only protection layer. It can be an extra layer, but not the only defense.



Comments are closed.

%d bloggers like this: