Qualys Web Application Scanning 4.9 has added the capability to run web app vulnerability scans on AJAX applications that use JSON input. Specifically, WAS 4.9 can test for SQL injection (SQLi), local file injection (LFI) and PHP command injection. Many web application scanners are capable of detecting SQL injection, LFI, PHP command injection and other vulnerabilities in web applications that use standard GET/POST requests, but they fail to find the same in applications that use JSON input in POST data. To analyze and detect vulnerability in JSON requests, WAS 4.9 added the capability to execute some AJAX scripts in automatic scanning without manual intervention. This capability relies on the SmartScan feature, which customers need to enable in their subscriptions.
On October 15, 2014, Drupal, a free, open source software used to create and manage websites, announced the existence of a vulnerability in its Drupal 7 database API abstraction layer. The vulnerability allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
Text and strings form the building blocks of web apps. Developers and content creators mix text with other media, code, and HTML to produce all kinds of apps for our browsers. However, when developers mix text with code or they carelessly place strings inside of HTML they expose the app to one of the most common web-related vulns: HTML Injection, a.k.a. Cross-Site Scripting (XSS). One way this happens is when developers use string concatenation to piece together a web page with static HTML and user-supplied data. For example, think of a site’s search function. When you submit a search request, the site responds with something like, "Here are the results for XYZ," and lists whatever might have matched. HTML injection occurs when the search term contains markup instead of simple text, and the app treats it like this:
<span>Here are the results for "<script>alert(9)</script>"</span>