A few weeks back I wrote a piece about WordPress website firewalls, or as better known in the security industry web application firewalls (WAFs). In the article I explained All you need to know about WordPress website firewalls: how they work and what their limitations and shortcomings are. Fast forward to today; Rafay Baloch, one of Pakistan’s leading security professionals published a blog post about a Sucuri website firewall cross-site scripting filter bypass; he was able to exploit a cross-site scripting attack against a website protected with Sucuri website firewall, i.e. the firewall did not block it.
Sucuri XSS Filter Bypass
As explained in his blog post, to test and identify this Sucuri XSS filter bypass Rafay tried several types of attack. To be able to construct a valid payload, he launched a number of brute force attacks. From the results of his brute force attacks he noticed that the <a tag with href attribute was being allowed through the Sucuri website firewall. With such information in hand he tried building several other payloads and after a long trial and error session he managed to build a payload that would allow him to exploit a cross-site scripting vulnerability on the target website, thus bypassing the Sucuri website firewall.
How is Sucuri Website Firewall Bypassed?
Sucuri are using a blacklist approach; they are blocking a list of known attacks. Therefore when a new attack pattern is identified Sucuri website firewall won’t be able to block it until someone manually updates the definition files / black list on the website firewall. This is how web application firewalls work hence why I always stress that even though they are a good addition to your security strategy, it is still of utmost importance to harden your WordPress and keep an audit log of all WordPress users activity and identify WordPress security issues before they become a problem.
For a complete and detailed analysis of the attack refer to Rafay’s blog post on his blog Rafay Hacking Articles.
Sucuri Response and Partial Fix?
This morning Rafay said that Sucuri partially fixed the problem hence they are not fully protecting against the attack. He posted the below post on Facebook:
So, SUCURI after my blogpost updated their rules to prevent attacks, however they were miserably broken.
Update2: It seems like securi is now blocking “Prompt” as well as the “Confirm” keyword, the following vector bypasses it –
“><p id=””onmouseover=\u0070rompt(1) //
Update 3: @soaj1664ashar found another way to bypass the filter:
“><p id=”\u0070rompt(1)”onmouseover=\u0065val(id) //
NOTE: since the problem was originally reported all of the issues reported by Rafay have been fixed by Sucuri.
What Can We Learn from this Sucuri Bypass?
As Sucuri themselves, I and other security professionals always say, there is no fully secure solution for WordPress or any other type of platform. Therefore you should never depend on a single system. Think of all the aspects of security (such as protection, monitoring, testing, hardening etc) and try to address each of them using different solutions. I would recommend you to also read Understanding the WordPress security plugins ecosystem for a better understanding of the different types of WordPress security plugins and their scopes.