In the modern web, it’s not a surprise that your application can become a target for a lot of different visitors and not all of them are human beings, of course. There are plenty of automated guys around: from good-old search engine robots to sophisticated armed to the teeth bots, scrapers, scanners, and so on.
To protect applications from all the bad robots, anti-bot solutions come into play, and one of the most popular ones is the Imperva Incapsula Advanced Bot Protection solution.
What’s the incapsula-cracker project?
But, it’s always a big and popular question – how to bypass it? Bot-makers and anyone who tries to use any bots always plays in cat and mouse with antibot solutions. To answer this question in general, several projects exist, one of the oldest ones is an incapsula-cracker (https://github.com/ziplokk1/incapsula-cracker-py3).
As for now, incapsula-cracker is not up-to-date and can not cover up all the solution’s changes, but the idea behind this and the way of bypassing is really interesting and still the same – and that’s what we are looking forward to.
More interesting is that the community around it is really passionate about the way of solving the problems, their discussions and thoughts about “how to solve it better” can be seen in the issues with a lot of technical details:
The other community project incapsula-bypass
How many times has the Imperva defense been bypassed in 2020-2021?
Let’s see a few examples of the successful attacks that could bypass Imperva defense.
- In March 2021, 0xInfection used a XSS payload to bypass Imperva defense that worked great at bypassing its security. The code was:
- Dawood Iklaq found a way to bypass Imperva security and use ‘sleep’ keyword (the app blocks it otherwise) the SQLi injection of the following string helped him succeed:
sle%25p%28'0x12'%2b1) => sleep('ox12' + 1)
- Another cybersecurity enthusiast and full-stack developer, spyerror, succeeded in carrying out the XSS attack to bypass Imperva using the following code:
- A web app security researcher with username BoOoM ran a check for Incapsula WAF SQLinj bypass through web shell upload and succeeded at going around its security implementation. The code used during this bypass was:
' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
What motivates the community?
The most interesting thing here is the motivation and interest of the community in the cracking of it in general – it’s not about an Imperva at all, it’s about the process. A lot of discussions about re-implementation can be seen in issues, a lot of improvements or reverse-like solutions were proposed by the community – and now, even when some of the solutions don’t work or update anymore, it’s still can be seen that interest in it is not over.
But as for now, unfortunately, it becomes more commercial and not so open-source as it was before – currently, solutions with improvements and fixes can be seen on the markets (for example, https://bhf.im/threads/609788/). Basically, some of them is a modified version of the original ones open-source solutions from GitHub, but with some new features and additions.
In conclusion, it’s worth saying that this kind of solution exists for mostly all of the bot solutions, and the difference here only in the answer for the question: “How complicated and hard would it be to break through it?”