Imperva Cyber Community

Expand all | Collapse all

how to detect and prevent HTML injection with imperva WAF?

  • 1.  how to detect and prevent HTML injection with imperva WAF?

    Posted 01-06-2020 07:54
    our website is redirecting to another site currently. it was found that malicious codes were injected into our homepage (highlighted below). After we removed the infected codes, the issue was solved just for not long time. few days later, our website got same codes infected again.

    our website is sitting behind our imperva on-premises WAF. it seems the WAF is neither detecting nor preventing the injected codes. 
    is it possible for our imperva on-premises to detect and prevent these malicious codes by using policy or any other means, and how? thanks for reading.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Louis WAF
    ------------------------------


  • 2.  RE: how to detect and prevent HTML injection with imperva WAF?

    Imperva Employee
    Posted 01-06-2020 08:30
    Hi Louis,

    Is the snippet of code above what gets returned when you make a GET request to your site after infection?

    If it is, it looks like you may have a problem with malicious individuals being able to upload code to the server backend. This may be caused by a number of different issues, ranging from compromised servers, insecure CMS settings or bugs through to rogue admins.

    The Imperva WAF can help in some of these cases, specifically where an insecure or misconfigured (unpatched) CMS is in use. In cases like these, if there is a known CVE which renders the CMS susceptible to remote attack and remote HTML upload, the WAF can be set to intercept this traffic in most cases, but without confirmation that the issue is a problem CMS, or even what system is in use, it is not possible to make a more detailed assessment.

    At the very least, we'd recommend having someone check how the problematic code is making it's way on to the web server, and forming an action plan based on the results of that analysis.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 3.  RE: how to detect and prevent HTML injection with imperva WAF?

    Posted 01-06-2020 23:01

    Thanks Stefan,

    1. Yes, it is the code what gets returned when we make a GET request to our site after infection.
    2. We removed the infected codes in head.ftl located on /usr/local/jboss-as-7.1.1.Final/standalone-node1/deployments/XXX.war/template/focal, and the issue was solved.
    3. We believe it is code injection, and shall not the servers being compromised (no unexpected users logged into the server during the time).

      Let it be the code injection issue and we would like to implement WAF input validation to prevent the malicious codes. Is there any suggestions that we could do with this? Thanks for reading. 

     



    ------------------------------
    Louis WAF
    ------------------------------



  • 4.  RE: how to detect and prevent HTML injection with imperva WAF?

    Imperva Employee
    Posted 01-07-2020 09:52
    Hi Louis,

    In that case, it is likely a vulnerability in JBoss itself, JBoss 7.1.1 is no longer supported or maintained and as such it is possible that it contains security vulnerabilities which will not be addressed.

    Having said that, there are a number of things you can do. You should consider using the profile to lock down URLs which are not part of the normal application flow, and this would normally include URLs used for remote management and remote code upload. This should reduce the potential attack surface of the application.
    It appears that the offensive code includes Chinese or other non-Latin characters, and without knowing your target audience, you may be able to limit POST requests which contain these characters in a specific order.
    You should also go throuh the server logs, and especially the request logs for an indication of any requests which included the offensive code, and narrow down the URL used to upload it. This URL can then be locked down more specifically using a Security Policy if required.

    However, it should be noted that the WAF is not a magic solution, and that running end-of-life software which no longer receives security patches is always risky. While the WAF can help mitigate that risk if specific vectors are known, it cannot remove it entirely.

    On the question as to whether the source IP can be identified, if a block is performed by the WAF as a result of a Security Policy, the Alert generate should include the Source IP of the request. It should be said that that is the client endpoint of the TCP connection that carried the payload, and the real source may be hidden behind NAT or some other tunneling protocol.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 5.  RE: how to detect and prevent HTML injection with imperva WAF?

    Posted 01-06-2020 23:39
    Hi Stefan,

      thanks. is it also possible in the WAF to trace the source ip which injected the problematic code? thanks again.

    ------------------------------
    Louis WAF
    ------------------------------