For a complete web application security program, it’s important that all your web applications have some level of security testing.  Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture and ability to scale.  However, performing manual penetration testing of your business-critical applications in addition to automated scanning is highly recommended.  Manual analysis complements automated scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.

One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS.  With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.

Continue reading …

Qualys Web Application Scanning 4.9 has added the capability to run web app vulnerability scans on AJAX applications that use JSON input. Specifically, WAS 4.9 can test for SQL injection (SQLi), local file injection (LFI) and PHP command injection. Many web application scanners are capable of detecting SQL injection, LFI, PHP command injection and other vulnerabilities in web applications that use standard GET/POST requests, but they fail to find the same in applications that use JSON input in POST data. To analyze and detect vulnerability in JSON requests, WAS 4.9 added the capability to execute some AJAX scripts in automatic scanning without manual intervention. This capability relies on the SmartScan feature, which customers need to enable in their subscriptions.

Continue reading …

The X-Frame-Options HTTP response header is a common method to protect against the clickjacking vulnerability since it is easy to implement and configure, and all modern browsers support it. As awareness of clickjacking has grown in the past several years, I have seen more and more Qualys customers adopt X-Frame-Options to improve the security of their web applications.

However, I have also noticed there is a common implementation mistake that causes some web applications to be vulnerable to clickjacking attack even though they have X-Frame-Options configured. In this article, I describe the implementation mistake and show how to check your web applications to ensure X-Frame-Options is implemented correctly.

Continue reading …

Sometimes standard web application scanning techniques are too intrusive. The web application owner may not want to run a scan that tests for a vulnerability by uploading application data because that might have negative side effects for the application. It can be better to use an indirect method like web application fingerprinting which inspects static files in the web app to determine its version, and then reports the known vulnerabilities for that version.

Continue reading …

Here’s a short story about a simple vulnerability that was easy to fix, but nonetheless could have had serious consequences.

Imagine an attacker, who doesn’t even have root access, being able to:

-  Get source code from the community of Pebble watch developers

-  Replace their binaries with malicious ones

-  Deploy the malicious binaries to the developers’ watches when they click the ‘Remote Deployment’ button.

Continue reading …