Qualys Community

1060 posts

Qualys Cloud Platform 2.15 New Features

A new release of the Qualys Cloud Platform (AssetView 2.15, Cloud Agent Platform 1.6.0) includes several new features for AssetView and support for additional operating systems for Cloud Agent.

The specific day for deployment will differ depending on the platform. Release Dates will be published on the Qualys Status page when available.

Continue reading …

Microsoft Patch Tuesday August 2016

Its August 2016 Patch Tuesday and Microsoft has released nine security bulletins that affect a host of components including desktop operating systems, browsers, fonts  and servers. Five updates are rated as critical while four are rated as important.

Continue reading …

WAS 4.9 Introduces Global Exclusion Lists and Scan Comparison Feature

We are pleased to announce Qualys Web Application Scanning 4.9 (WAS) featuring customized global exclusion lists and enhanced reporting with a new, quick and easy scan comparison feature to help you meet your web application scanning needs and meet your business objectives even quicker.

Continue reading …

Testing AJAX Applications with JSON Input for Vulnerabilities Using Qualys WAS

Qualys Web Application Scanning 4.9 has added the capability to run web app vulnerability scans on AJAX applications that use JSON input. Specifically, WAS 4.9 can test for SQL injection (SQLi), local file injection (LFI) and PHP command injection. Many web application scanners are capable of detecting SQL injection, LFI, PHP command injection and other vulnerabilities in web applications that use standard GET/POST requests, but they fail to find the same in applications that use JSON input in POST data. To analyze and detect vulnerability in JSON requests, WAS 4.9 added the capability to execute some AJAX scripts in automatic scanning without manual intervention. This capability relies on the SmartScan feature, which customers need to enable in their subscriptions.

Continue reading …

TLS Version Intolerance in SSL Pulse

You often hear that TLS is the most important security protocol. Usually, the reasoning is that it’s very widely deployed and also that it works for many higher-level protocols. That’s certainly true, but for those who work more closely with these protocols there is another important aspect: we can learn so much about protocol design by carefully examining the evolution of TLS.

Continue reading …

Handling Cross-Site Scripting As Attacks Get More Sophisticated

Adopting third-party libraries to encode user input in the development phase and using a web application firewall in the deployment phase could fool web security managers into thinking their web applications are completely safe from Cross-Site Scripting (XSS) attacks. While it’s a good idea to employ these techniques, the illusion of safety could prove costly. These protection methods do not guarantee that your web applications are 100% free of XSS vulnerabilities, and XSS attacks that use more sophisticated techniques still occur, so care should still be taken.

Continue reading …

Oracle July 2016 Critical Patch Update

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

Continue reading …

CGI application vulnerability httpoxy for PHP, Go, Python and others

httpoxy

A CGI application vulnerability called httpoxy was announced today with coordinated disclosure from many vendors. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences.

Continue reading …