Evading All Web-Application Firewalls XSS Filters

During recent months, I was working on research that proves that all web-application firewalls do not protect against attacks as expected. The research focuses on evading the XSS filters of all popular Web-Application Firewalls, such as F5 Big IP, Imperva Incapsula, AQTRONIX WebKnight, PHP-IDS, Mod-Security, Sucuri, QuickDefense, Barracuda WAF, and they were all evaded within the research.

After evading the products, I have worked with vendors to patch all the discovered issues. The research should have been published in July 2015, but as a supporter of the responsible disclosure concept, I waited for companies to patch the bypasses and to get the final responses from them.

The research is meant for educational uses only, and should not be used in performing malicious actions. I am not responsible for any malicious actions that is done using the information in the research.

The research is ready to be shared with the public. You can find the links to download a copy of the paper below.

Download Link:-

MazinAhmed.net - Evading All Web-Application Firewalls XSS Filters.pdf