All Posts

26 posts

Magento RCE And Application Security Templates

Part of the responsibilities of the Qualys Web Application Firewall (WAF) security team is to analyze newly disclosed vulnerabilities. We must ensure their correct detection, and when necessary, publish security updates that will be pushed onto customers' sensors so they can be protected. For most vulnerabilities, these changes are only cosmetic. The inspection engine already knows all the classic web attack strategies (SQLi, XSS, …), and typically our patches are about displaying specific messages to warn the customer that a known vulnerability has been targeted.

But occasionally, as in the case of the Magento remote code execution (RCE) vulnerability described by Checkpoint, the vulnerabilities are far more interesting. As I describe in this article, these vulnerabilities are in application-specific protocols on top of the HTTP protocol. That means they are not blockable by standard web application firewalls, and it is necessary to write and deploy custom signatures to block them. Qualys is writing a set of these custom signatures, called "Application Security Templates," to provide accurate inspection for application-specific behaviors and protocols. They extend and enrich the classic HTTP inspection to provide "state of the art" security for the most well-known applications.

Continue reading …

WordPress: When Half of all Websites are Vulnerable

On April 21, WordPress issued a critical security release and “strongly encouraged” their customers to update their webites “immediately.” In general, the use of these alarming terms is symptomatic of a significant threat. And it is indeed.

WordPress is so overwhelming the CMS market that nearly 50% of all websites are based on it. This recent security release fixes multiple vulnerabilities so important that an attacker may be able to obtain administrator access on any of those millions of websites. The most sensitive vulnerability is targeting WordPress version 4.1.1 and earlier.

Continue reading …

Web Application Firewall Defends Your Web Apps

This week at RSA Conference 2014 in San Francisco, Qualys announced the general availability of QualysGuard Web Application Firewall.

QualysGuard WAF is designed to be *the* simple, scalable way to defend your web applications. Using virtual appliances running in either Amazon EC2 or VMware’s vCenter platform, QualysGuard WAF sensors (which analyze traffic to and from your applications) can be deployed rapidly with a minimal level of security expertise. It uses a new approach to strong web app security that evolves and adapts to the changing threat environment.

Continue reading …

The New Continuous Monitoring Service and the GA of QualysGuard WAF

Today at RSA Conference, Qualys announced its new Continuous Monitoring service, empowering customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks. The service gives organizations the ability to proactively identify threats and unexpected changes in Internet-facing devices within their DMZ, cloud-based environments, and web applications before they are breached by attackers, bringing a new paradigm to vulnerability management.

Continue reading …

Qualys Announces Web Application Firewall (WAF) Beta Availability

Qualys today announced that it will release the beta of its new cloud WAF solution as an Amazon Machine Image (AMI) and as a VMware virtual image for on-premise deployments starting August 1. Qualys’ new WAF service is delivered through the multitenant, highly scalable QualysGuard Cloud Platform, designed to provide:

  • Real-time application defense, blocking attacks against websites in real-time.
  • Application hardening, minimizing application attack surfaces by providing a shield around coding defects, application framework flaws, web server bugs and loose configurations.
  • Low-cost, automated service maintained and updated by Qualys’ security experts providing new defenses and features transparently to users and site visitors.
  • A multitude of deployment options for distributed WAF protection points managed through a common, central policy administration and reporting interface with APIs for integration.

Qualys will showcase these new capabilities this week at Black Hat USA 2013 Briefings – booth #401 – on July 31-August 1. Read the full announcement.

Protocol-Level Evasion of Web Application Firewalls

Web application firewalls have come a long way from their modest beginnings more than a decade ago. They are now an accepted security best practice and have a significant role in compliance. But there is still a lot left to do before they can unlock their full potential.

There is one aspect in particular that interests me a great deal, and that is the ability of end users to verify the operation of WAFs and measure their technical quality. Understandably, vendors are reluctant to talk about the weaknesses in their products. However, understanding the weak points is critical for effective deployments. We cannot claim to have achieved any level of security otherwise. As always with these things, we should assume that our adversaries already know about those weaknesses; but how can we know too? Simple, by forcing the issue out in the open.

Today at Black Hat we are announcing a new research project on protocol-level evasion of web application firewalls. This type of evasion focuses on the low level operation of WAFs, aiming to exploit little differences in how WAFs see traffic and how backend web servers and applications see it. If you get the WAF to see something different from what the backend is seeing, you have an evasion opportunity that could possibly be used to execute any attack type, without detection.

I spent a great deal of effort on protocol-level evasion in my years of working on ModSecurity (an open source web application firewall I started in 2002, and worked on until 2009). I imagine all WAF manufacturers spend a lot of effort in this area, yet this topic is seldom discussed in public. It is our aim to change this. Our focus on protocol-level evasion is part of our work on IronBee, a new open source web application firewall we are building at Qualys.

Attached to this post is our research paper that focuses on request path, parameter, and multipart/form-data evasion. Also attached are the Black Hat talk slides that introduce the research. The testing suite (a sort of a research toolkit) is in the IronBee WAF Research repository on GitHub.


Protocol-Level Evasion of Web Application Firewalls 254.4 K

Protocol-Level Evasion of Web Application Firewalls SLIDES 1.7 M