All Posts

2 posts

Magento RCE And Application Security Templates

Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.

But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in application-specific protocols on top of the HTTP protocol. That means they are not blockable by standard web application firewalls, and it is necessary to write and deploy custom signatures to block them. Qualys is writing a set of these custom signatures, called "Application Security Templates," to provide accurate inspection for application-specific behaviors and protocols. They extend and enrich the classic HTTP inspection to provide "state of the art" security for the most well-known applications.

Continue reading …

Shellshock: Is Your Webserver Under Attack?

Shellshock has just appeared and already it has left the security industry stunned. Discovered by Stéphane Chazelas of Akamai in bash (the Bourne Again SHell), this new vulnerability is very simple to exploit. And because Bash is everywhere on Linux and UNix-like machines and interacts with all parts of the operating system, everyone anticipates that it will have lot of repercussions.

Continue reading …