Archive for October, 2013

CloudFlare vs Incapsula: Round 2 – Comparative Penetration Testing Analysis Report

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.

Direct download:

Here’s a video to show some Blocks and Bypasses from both vendors:

WordPress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘hide-wc-extensions-message’ parameter in the ‘admin/woocommerce-admin-settings.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.