Sucuri WordPress Website Firewall Bypass

Last updated on October 08th, 2015 by Robert Abela. Filed under WordPress Security News

A few weeks back I wrote a piece about WordPress website firewalls, or as better known in the security industry web application firewalls (WAFs). In the article I explained All you need to know about WordPress website firewalls: how they work and what their limitations and shortcomings are. Fast forward to today; Rafay Baloch, one of Pakistan’s leading security professionals published a blog post about a Sucuri website firewall cross-site scripting filter bypass; he was able to exploit a cross-site scripting attack against a website protected with Sucuri website firewall, i.e. the firewall did not block it.

Sucuri XSS Filter Bypass

Rafay BalochAs explained in his blog post, to test and identify this Sucuri XSS filter bypass Rafay tried several types of attack. To be able to construct a valid payload, he launched a number of brute force attacks. From the results of his brute force attacks he noticed that the <a tag with href attribute was being allowed through the Sucuri website firewall. With such information in hand he tried building several other payloads and after a long trial and error session he managed to build a payload that would allow him to exploit a cross-site scripting vulnerability on the target website, thus bypassing the Sucuri website firewall.

How is Sucuri Website Firewall Bypassed?

Sucuri are using a blacklist approach; they are blocking a list of known attacks. Therefore when a new attack pattern is identified Sucuri website firewall won’t be able to block it until someone manually updates the definition files / black list on the website firewall. This is how web application firewalls work hence why I always stress that even though they are a good addition to your security strategy, it is still of utmost importance to harden your WordPress and keep an audit log of all WordPress users activity and identify WordPress security issues before they become a problem.

For a complete and detailed analysis of the attack refer to Rafay’s blog post on his blog Rafay Hacking Articles.

Sucuri Response and Partial Fix?

This morning Rafay said that Sucuri partially fixed the problem hence they are not fully protecting against the attack. He posted the below post on Facebook:

So, SUCURI after my blogpost updated their rules to prevent attacks, however they were miserably broken.

Update 1: It seems like Sucuri has just blocked “Prompt” keyword, the following vector bypasses it – <a%20x%20href=javascript%26%2358%3Bprompt(1)>a</a> credits @mmrupp

Update2: It seems like securi is now blocking “Prompt” as well as the “Confirm” keyword, the following vector bypasses it –

<q oncut=\u0070rompt(2)>

“><p id=””onmouseover=\u0070rompt(1) //

Update 3: @soaj1664ashar found another way to bypass the filter:

“><p id=”\u0070rompt(1)”onmouseover=\u0065val(id) //

NOTE: since the problem was originally reported all of the issues reported by Rafay have been fixed  by Sucuri.

What Can We Learn from this Sucuri Bypass?

As Sucuri themselves, I and other security professionals always say, there is no fully secure solution for WordPress or any other type of platform. Therefore you should never depend on a single system. Think of all the aspects of security (such as protection, monitoring, testing, hardening etc) and try to address each of them using different solutions. I would recommend you to also read Understanding the WordPress security plugins ecosystem for a better understanding of the different types of WordPress security plugins and their scopes.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service


Craig 27/04/2015

Sucuri are a scam.

They have focused heavily on marketing and promotion.

They also offer a generous affiliate program which is why they have so many people supporting and promoting them.

Its all about money.

Their other tools are useful as well.

They are in the malware cleanup business. They want you to get hacked otherwise they go broke.

Robert Abela 27/04/2015

Hi Craig,

I wouldn’t call Sucuri a scam but I do agree that they are more of a marketing company rather than a technology, product focused company. Their products are good but after looking at how they responded to this issue (i.e. they make a fix and just seconds after Rafay discovers another hole) I am sure they can do much better.

Leave a Reply

Your email address will not be published. Required fields are marked *