Lucene search
K

Imperva SecureSphere WAF 11.5 Bypass

🗓️ 14 Sep 2018 00:00:00Reported by Damien CabrieType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 47 Views

Imperva SecureSphere WAF 11.5 Bypass vulnerability in Web Correlation Policy engine for SQLi and XSS protectio

Code
`Hello everyone,  
  
Can I have your opinion about this bug below please ?  
  
# Exploit Title: Policy Bypass on Imperva SecureSphere Web Application  
Firewall  
# Date: 08/05/2018  
# Author: Damien CabriA(c)  
# Contact: https://twitter.com/nawhack  
# Vendor Homepage: http://www.imperva.com  
# Version: Imperva SecureSphere WAF 11.5 in all deployment options  
# Tested on: Imperva SecureSphere WAF 11.5.0.95_0 (bridge and reverse proxy  
mode)  
# Class: Policy Bypass  
  
[VULNERABILITY DETAILS]  
  
The Imperva WAF provides solutions to protect websites against attacks (SQL  
injections, cross site scripting, illegal resource access). The protect is  
base with policies building from Signatures (network, generic attack, known  
web application vulnerabilities), Application profiling and Threatradar  
Reputation Service.  
  
There is a bug in the Web Correlation Policy engine which protect against  
SQLi and XSS.  
  
The WAF is not able to detect malicious SQLi or XSS content in the body of  
POST requests without the "Content-Type" header.  
  
An attacker can easily craft a POST request method without the Content-Type  
header to bypass firewall protections.  
  
Applications protected by the WAF could be compromised with this bug.  
  
[REMEDIATION]  
If possible, block POST requests without Content-Type header.  
  
[DISCLOSURE TIME-LINE]  
* 08/05/2018 - Initial vendor contact.  
  
* 27/06/2018 - Imperva confirmed the issue. Fix targeted for Q4 2018.  
  
* 12/07/2018 - Ticket closed.  
  
* 18/08/2018 - Public disclosure.  
  
Regards  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation