Qualys Community

96 posts

Thwarting SQL Injection: Defense in Depth

SQL as a language is vulnerable to injection attacks because it allows mixing of instructions and data, which attackers can conveniently exploit to achieve their nefarious objectives.

The root cause behind successful SQL injection attacks is the execution of user-supplied data as SQL instructions. This classic cartoon illustrates the perils of trusting user inputs, and how they can lead to a successful SQLi attack:

From the webcomic xkcd:

Did you really name your son Robert'); DROP TABLE Students;--

Continue reading …

How Policy Compliance Plays a Mitigation Role to Protect Your System

Vulnerabilities can be serious threats. Once found, system administrators try everything to restore security, such as patching and mitigating. Patching is always the first choice since it’s normally the definitive way to resolve the vulnerability. However, system administrators will sometimes need to mitigate, especially in two cases:

Case 1. A patch has not been released by the vendor.
Case 2. Patching the vulnerability isn’t a high priority in the customer’s environment but still needs to be addressed.

Many vulnerabilities can be mitigated by changing a specific configuration setting in the OS or application. In this blog post, I use HTTPoxy as an example of how Qualys Policy Compliance can play an important role in this type of mitigation by identifying and reporting on all your systems that don’t have the desired configuration.

Continue reading …

Handling Cross-Site Scripting As Attacks Get More Sophisticated

Adopting third-party libraries to encode user input in the development phase and using a web application firewall in the deployment phase could fool web security managers into thinking their web applications are completely safe from Cross-Site Scripting (XSS) attacks. While it’s a good idea to employ these techniques, the illusion of safety could prove costly. These protection methods do not guarantee that your web applications are 100% free of XSS vulnerabilities, and XSS attacks that use more sophisticated techniques still occur, so care should still be taken.

Continue reading …

How Ignoring Low-Level Security Risks Can Open the Door to Major Attacks

With the rise in attacks against web applications, cyber security teams naturally have prioritized the elimination of high-risk threats, such as SQL injections and cross-site scripting (XSS) vulnerabilities. The flip side of this is that many cybersecurity teams choose to ignore or delay the remediation of low-level security vulnerabilities in their web applications. Unfortunately, this isn’t a wise strategy. Underestimating the importance of fixing low-level security issues could create a major problem for an organization. Why? By exploiting a combination of seemingly trivial vulnerabilities, attackers can sometimes open up a big security gap that lets them do extreme damage. In this article, I will demonstrate such a scenario, showing how by taking advantage of several unfixed low-level security issues, an attacker could gain full administrator access to a popular web application.

Continue reading …

The Importance of a Proper HTTP Strict Transport Security Implementation on Your Web Server

About 95 percent of HTTPS servers are vulnerable to connection hijacking, opening the door for hackers to launch man-in-the-middle and other devastating cyber attacks. That’s according to a Netcraft study released about a week ago. The reason for this concerning situation? Only 5 percent of HTTPS servers have a correct implementation of HTTP Strict Transport Security.

Continue reading …

SSL Labs DROWN Test Implementation Details

Two days ago the DROWN vulnerability came to light, showing new ways to attack TLS. SSL Labs deployed tests for DROWN in the staging environment yesterday, and we’ll be pushing it to production shortly. Because DROWN is a tricky problem, the aim of this blog post is to provide an explanation of what we test for and how exactly.

Continue reading …

DROWN at Qualys

On March 1st the DROWN vulnerability in openssl was disclosed. Exploited successfully by an attacker it can lead to decryption of SSL/TLS sessions.

On March 2nd our internal scanning indicated that we had 3 servers that were susceptible to DROWN. These 3 servers were part of a partner facing version of an application that was in the process of being decommissioned. No DNS names were connected to the servers anymore, but the IP addresses were still accessible.

On March 3rd we received a number of queries regarding the configuration of these servers and their susceptibility to DROWN. After verifying with the partner affected to assure that there was no more use of the servers, we turned off access to the respective services.

The certificate that was served on these machines is being reemitted with a new private key.

DROWN Abuses SSL v2 to Attack TLS

A fascinating new research called DROWN has uncovered a previously-unknown vulnerability in SSL v2, the first ever version of SSL that was released in 1995 and declared dead less than a year later. Even though this old version of SSL is not used much these days, it continues to be supported by many servers. The especially bad aspect of this attack is that it can be used to exploit TLS, even in cases when client devices don’t support SSL v2, and sometimes even in cases when the servers don’t support SSL v2 (but use the same RSA key as some other server that does). The researchers estimate that up to 22% of servers could be impacted by this problem.

Continue reading …

Hunting For Vulnerable Functions In Microsoft Silverlight MS16-006

This week Microsoft released a patch for a critical Silverlight issue, MS16-006, and since I worked on Silverlight signatures in the past it caught my eye. It’s a Remote Code Execution vulnerability which allows attackers to run code of his or her choice on the victim machine. I had a hunch that something more was hiding. I started to analyze it as soon as I finished writing signatures for the existing patch. When I was working on the analysis Kaspersky Lab published a great blog post about the story of this vulnerability.

In this blog, I’m presenting analysis of a different function that was also fixed in the same patch.

Continue reading …

How Open Redirection Threatens Your Web Applications

Open redirection is listed in the OWASP Top 10 for 2013 and 2010 (10th position in both lists) since it is still an active threat in modern web applications. Open redirection occurs when a vulnerable web page is redirected to an untrusted and malicious page that may compromise the user.  Open redirection attacks usually come with a phishing attack because the modified vulnerable link is identical to the original site, which increases the likelihood of success for the phishing attack.

While open redirection is not exactly common, my research was able to uncover several open source applications that were vulnerable. In this article, I describe the results of my research, and some recommendations for avoiding open redirection vulnerabilities in your code.

Continue reading …