Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently. Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).
After some testing work against the latest releases of two popular applications, Vanilla Forum 2.1.1 and Piwik 2.5.0, I found out that both suffer from cross site scripting (XSS) vulnerabilities caused by a lack of input validation. As a consequence, thousands of live websites using these applications are exposed to XSS attacks due to the wide usage of these two open source web applications.
How Were These Vulnerabilities Introduced in the Application?
When tracking the roadmap of Vanilla Forums, I was surprised that Vanilla Forums developers were actually using a filter to remove dangerous characters from the user-supplied value of parameter DeliveryType in the previous Vanilla 2.0 version (tested with Vanilla 2.0 version). I could not figure out the reason for removing the filter, but I assume it was accidental. When it comes to Piwik, the vulnerabilities were introduced when a new function was added into Piwik since Piwik 2.2.0 was release on April 7, 2014. When the new function was implemented, no security method was adopted to remove potential security threats. Just give another peek at the roadmap of the security report of Piwik, and you will find that there is a long history of fighting against XSS in this application. But it was hard to eliminate this kind of vulnerability completely because there are always new features added. Same thing happens to Vanilla Forums. A lot of vulnerabilities have been reported and fixed in the past several years if you check the CVE List. However, Vanilla is still suffering from XSS vulnerabilities that were actually eliminated in the previous version. These two examples are not going to conclude that new version is worse than an older version from a security perspective. But it should make you keep in mind that it is very likely that risks of security threats are growing with new features or changes in your web applications due to neglect or lack of security background when the changes or features are implemented in your applications.
Qualys today announced that QualysGuard WAS won the 2013 Information Security™ Magazine (ISM) and SearchSecurity.com™ Reader’s Choice Award for Application Security. The eighth annual Readers’ Choice Awards surveyed Information Security readers, asking for their votes and ratings on top security products in 19 categories, with participants asked to only vote on the products in use in their environments. The QualysGuard WAS cloud service was rated the highest in the Application Security category for helping enterprises identify and remediate issues before attackers can find and exploit them.
Qualys today announced that it will release the beta of its new cloud WAF solution as an Amazon Machine Image (AMI) and as a VMware virtual image for on-premise deployments starting August 1. Qualys’ new WAF service is delivered through the multitenant, highly scalable QualysGuard Cloud Platform, designed to provide:
- Real-time application defense, blocking attacks against websites in real-time.
- Application hardening, minimizing application attack surfaces by providing a shield around coding defects, application framework flaws, web server bugs and loose configurations.
- Low-cost, automated service maintained and updated by Qualys’ security experts providing new defenses and features transparently to users and site visitors.
- A multitude of deployment options for distributed WAF protection points managed through a common, central policy administration and reporting interface with APIs for integration.
Qualys will showcase these new capabilities this week at Black Hat USA 2013 Briefings – booth #401 – on July 31-August 1. Read the full announcement.