Bypassing the WebARX Web Application Firewall (WAF)

WebARX is a web application firewall where you can protect your website from malicious attacks. As you can see it was mentioned in TheHackerNews as well and has good ratings if you do some Googling.

It was found out that the WebARX WAF could be easily bypassed by passing a whitelist string. As you see the request won’t be processed by the WAF if it detects a whitelist string.

Let’s first try on their own website. This is a simple LFi payload.


XSS in CloudFlare

#1 XSS

These are some of my duplicate vulnerabilities found. I just thought of sharing with you. Recently I found two POST XSS in CloudFlare and unfortunately I was not the first to report.
I found the first issue in the “Confirm Key Generator” dialog box.

Let’s have a closer look at the URL.


It seems like an XMLHttpRequest object is used in the server side it accept our POST request. (more…)