Web applications and REST APIs can be susceptible to a certain class of vulnerabilities that can’t be detected by a traditional HTTP request-response interaction. These vulnerabilities are challenging to find but provide a way for attackers to target otherwise inaccessible, internal systems. An attacker can potentially use this to their advantage. Essentially, a vulnerable application (or API) can be used as a proxy for an attack against a separate internal application, a cloud service, or other protected system.
Update January 17, 2020: A new detection in Qualys Web Application Scanning was added. See “Detecting with Qualys WAS” below.
Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
Earlier this year the Qualys Web Application Scanning team discovered and reported an open redirect vulnerability (CVE-2019-11016) in Elgg, an open source rapid development framework for socially aware web applications, which the Elgg team promptly fixed.
Versions of the Elgg framework before 1.12.18 and 2.3.x versions before 2.3.11 are vulnerable to open redirect via the $url parameter. An attacker could abuse the functionality by entering a particular path that triggers an open redirect to an attacker-controlled website.
Because this type of vulnerability is not uncommon, QID 150051 in Qualys Web Application Scanning (WAS) was improved to report if this type of open redirect vulnerability is found in a scanned web application.
Last year we released the initial version of the Qualys WAS Burp extension to positive reviews. Customers welcomed the ability to send Burp-identified issues into Qualys Web Application Scanning (WAS) for centralized viewing and reporting of automated scanner findings plus manual pen-test issues from Burp.
Now we are pleased to announce the release of version 2 of the Qualys WAS Burp extension. In addition to the previous functionality, this version allows you to import a WAS finding directly into Burp Repeater to manually validate the vulnerability. Even better is that this new capability works with both Burp Suite Professional and Burp Suite Community Edition.
Due to the fast-growing usage of REST APIs, having a way to test them for vulnerabilities in an automated, reliable way is more important than ever. Automated testing of APIs is a little trickier than for web applications. You can’t simply enter a starting URL for the scanner and click “Go”. Additional setup is required to describe the API endpoints for the scanner. The good news is that Qualys Web Application Scanning (WAS) offers multiple ways to set up a scan for your APIs.
Up to now Qualys WAS has provided two methods to set up scanning of your APIs:
- Proxy capture method
- Swagger/OpenAPI file method
Now, WAS supports a 3rd method – Postman Collections. As we’ll explain, this method can provide better vulnerability testing compared to the others.