Jump to content


Photo

Barracuda WAF auto-generate unknown .js in HTTP Response

#WAF #JavaScript #JS

Best Answer Aravindan Anandan, 10 October 2019 - 12:21 AM

It is quite possible that the client fingerprinting feature (which is enabled by default in 10.0 firmware) is causing this js to be inserted in the HTML response. This is intentionally so as the successful execution of this script in the browser can allow the WAF to uniquely identify the source of the request which then helps weed out bad bots and malicious clients from trying to access the site.

It is possible to disable this functionality by turning off client fingerprinting for the service (edit the service to see the option). However, since it serves a useful purpose, I would recommend that you connect with our support @ wafsupport_team@barracuda.com to let them know about the issue you are facing because of this so that we can suggest the best course of action without giving up on a useful feature like client fingerprinting.

Go to the full post


  • Please log in to reply
2 replies to this topic

#1 Mikel

Mikel
  • Members
  • 3 posts

Posted 10 October 2019 - 12:00 AM

Hi everyone,

We've deployed a Barracuda WAF to protect our web server. The Topology is as below:

Internet ==> Firewall ==> WAF ==> Web Server.
 

  • There is a strange thing here. The Barracuda WAF auto-generate unknown .js in HTTP Response although don't enforce Captcha and Application DDoS Mitigation:

The name of the .js file is: bni_1896b1697d8ca9f980069c2600d67e25.js
if we send a HTTP request to the Website via WAF, there are an .js file return to the Browser - an unknown js file.

The consequence is that when getting this .js, the browser cannot render the content of the website.

When access directly the js, we get some encoded content as below:

 

var _0x7094=["\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74","\x6F\x70\x74\x69\x6F\x6E\x73","\x66\x69\x6E\x67\x65\x72\x70\x72\x69\x6E\x74\x6A\x73\x32","\x66\x6C\x61\x73\x68\x2F\x63\x6F\x6D\x70\x69\x6C\x65\x64\x2F\x46\x6F\x6E\x74\x4C\x69\x73\x74\x2E\x73\x77\x66","\x65\x78\x74\x65\x6E\x64","\x6E\x61\x74\x69\x76\x65\x46\x6F\x72\x45\x61\x63\x68","\x66\x6F\x72\x45\x61\x63\x68","\x70\x72\x6F\x74\x6F\x74\x79\x70\x65","\x6E\x61\x74\x69\x76\x65\x4D\x61\x70","\x6D\x61\x70","\x76\x61\x6C\x75\x65","\x66\x75\x6E\x63\x74\x69\x6F\x6E","\x70\x72\x65\x70\x72\x6F\x63\x65\x73\x73\x6F\x72","\x6B\x65\x79","\x70\x75\x73\x68","\x64\x61\x74\x61","\x75\x73\x65\x72\x41\x67\x65\x6E\x74\x4B\x65\x79","\x6C\x61\x6E\x67\x75\x61\x67\x65\x4B\x65\x79","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68\x4B\x65\x79","\x64\x65\x76\x69\x63\x65\x4D\x65\x6D\x6F\x72\x79\x4B\x65\x79","\x70\x69\x78\x65\x6C\x52\x61\x74\x69\x6F\x4B\x65\x79","\x68\x61\x72\x64\x77\x61\x72\x65\x43\x6F\x6E\x63\x75\x72\x72\x65\x6E\x63\x79\x4B\x65\x79","\x73\x63\x72\x65\x65\x6E\x52\x65\x73\x6F\x6C\x75\x74\x69\x6F\x6E\x4B\x65\x79","\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x53\x63\x72\x65\x65\x6E\x52\x65\x73\x6F\x6C\x75\x74\x69\x6F\x6E\x4B\x65\x79","\x74\x69\x6D\x65\x7A\x6F\x6E\x65\x4F\x66\x66\x73\x65\x74\x4B\x65\x79","\x73\x65\x73\x73\x69\x6F\x6E\x53\x74\x6F\x72\x61\x67\x65\x4B\x65\x79","\x6C\x6F\x63\x61\x6C\x53\x74\x6F\x72\x61\x67\x65\x4B\x65\x79","\x69\x6E\x64\x65\x78\x65\x64\x44\x62\x4B\x65\x79","\x61\x64\x64\x42\x65\x68\x61\x76\x69\x6F\x72\x4B\x65\x79","\x6F\x70\x65\x6E\x44\x61\x74\x61\x62\x61\x73\x65\x4B\x65\x79","\x63\x70\x75\x43\x6C\x61\x73\x73\x4B\x65\x79","\x70\x6C\x61\x74\x66\x6F\x72\x6D\x4B\x65\x79","\x64\x6F\x4E\x6F\x74\x54\x72\x61\x63\x6B\x4B\x65\x79","\x70\x6C\x75\x67\x69\x6E\x73\x4B\x65\x79","\x63\x61\x6E\x76\x61\x73\x4B\x65\x79","\x77\x65\x62\x67\x6C\x4B\x65\x79","\x77\x65\x62\x67\x6C\x56\x65\x6E\x64\x6F\x72\x41\x6E\x64\x52\x65\x6E\x64\x65\x72\x65\x72\x4B\x65\x79","\x61\x64\x42\x6C\x6F\x63\x6B\x4B\x65\x79","\x68\x61\x73\x4C\x69\x65\x64\x4C\x61\x6E\x67\x75\x61\x67\x65\x73\x4B\x65\x79","\x68\x61\x73\x4C\x69\x65\x64\x52\x65....

  • But if we try to access the website directly (not via the WAF).this js doesn't exist when inspecting the html element on the browser. And the page load successfully?

So i don't understand why this .js file being inserted or when/Why and What generate this .js file (Although we don't turn On Captcha or Application DDoS Mitigation Policy).

 

Are there anyone faced the same problem like us and could you explain for us this situation?

 

Many thanks for your support :)

 



#2 Aravindan Anandan

Aravindan Anandan
  • Barracuda Team Members
  • 73 posts

Posted 10 October 2019 - 12:21 AM   Best Answer

It is quite possible that the client fingerprinting feature (which is enabled by default in 10.0 firmware) is causing this js to be inserted in the HTML response. This is intentionally so as the successful execution of this script in the browser can allow the WAF to uniquely identify the source of the request which then helps weed out bad bots and malicious clients from trying to access the site.

It is possible to disable this functionality by turning off client fingerprinting for the service (edit the service to see the option). However, since it serves a useful purpose, I would recommend that you connect with our support @ wafsupport_team@barracuda.com to let them know about the issue you are facing because of this so that we can suggest the best course of action without giving up on a useful feature like client fingerprinting.



#3 Mikel

Mikel
  • Members
  • 3 posts

Posted 10 October 2019 - 12:52 AM

It is quite possible that the client fingerprinting feature (which is enabled by default in 10.0 firmware) is causing this js to be inserted in the HTML response. This is intentionally so as the successful execution of this script in the browser can allow the WAF to uniquely identify the source of the request which then helps weed out bad bots and malicious clients from trying to access the site.

It is possible to disable this functionality by turning off client fingerprinting for the service (edit the service to see the option). However, since it serves a useful purpose, I would recommend that you connect with our support @ wafsupport_team@barracuda.com to let them know about the issue you are facing because of this so that we can suggest the best course of action without giving up on a useful feature like client fingerprinting.

Thank you bro, i got this config and just try to turn it off. And the js has gone. I will ask the barracuda support team this case.
Many thanks to your support bro :)