Archive for October, 2013

CloudFlare vs Incapsula: Round 2 – Comparative Penetration Testing Analysis Report

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.



Direct download: http://zeroscience.mk/files/wafreport2013v2.pdf

Here’s a video to show some Blocks and Bypasses from both vendors:



WordPress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘hide-wc-extensions-message’ parameter in the ‘admin/woocommerce-admin-settings.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

woocommerce_xss2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5156.php