Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.
But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in application-specific protocols on top of the HTTP protocol. That means they are not blockable by standard web application firewalls, and it is necessary to write and deploy custom signatures to block them. Qualys is writing a set of these custom signatures, called "Application Security Templates," to provide accurate inspection for application-specific behaviors and protocols. They extend and enrich the classic HTTP inspection to provide "state of the art" security for the most well-known applications.