Web applications and REST APIs can be susceptible to a certain class of vulnerabilities that can’t be detected by a traditional HTTP request-response interaction. These vulnerabilities are challenging to find but provide a way for attackers to target otherwise inaccessible, internal systems. An attacker can potentially use this to their advantage. Essentially, a vulnerable application (or API) can be used as a proxy for an attack against a separate internal application, a cloud service, or other protected system.
Earlier this year the Qualys Web Application Scanning team discovered and reported an open redirect vulnerability (CVE-2019-11016) in Elgg, an open source rapid development framework for socially aware web applications, which the Elgg team promptly fixed.
Versions of the Elgg framework before 1.12.18 and 2.3.x versions before 2.3.11 are vulnerable to open redirect via the $url parameter. An attacker could abuse the functionality by entering a particular path that triggers an open redirect to an attacker-controlled website.
Because this type of vulnerability is not uncommon, QID 150051 in Qualys Web Application Scanning (WAS) was improved to report if this type of open redirect vulnerability is found in a scanned web application.
Cookies are ubiquitous in today’s modern web applications. If an attacker can acquire a user’s session cookie by exploiting a cross-site scripting (XSS) vulnerability, by sniffing an unencrypted HTTP connection, or by some other means, then they can potentially hijack a user’s valid session. Obviously, this can have negative implications for an organization and its users, including theft of sensitive application data or unauthorized/harmful actions.
Qualys Web Application Scanning reports when it discovers a cookie delivered over an HTTPS channel without the “secure” attribute set. This detection is useful for verifying correct coding practices for individual web applications & developers, and across your entire organization. Cookies marked with the secure attribute will never be sent over an unencrypted (non-HTTPS) connection, which keeps them safe from prying eyes that may be sniffing network traffic.
Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable organizations to liberate data from their applications, improve integration, and standardize how claims and information is governed.
However, what about the associated API security risks? That’s the subject Gartner analyst Mark O’Neill tackled in his presentation, API Security: Enabling Innovation Without Enabling Attacks and Data Breaches at Qualys Security Conference 2018. O’Neill sees API vulnerabilities as a serious enterprise risk in the years ahead. In fact, by 2020, he predicts API abuses will be the most frequent attack vector that results in data breaches for enterprise web applications. “We see more and more APIs as a threat vector,” O’Neill said.
Attackers go after APIs, O’Neill said, because they’re a direct way to valuable data and enterprise resources. In addition to stealing data, APIs are also susceptible to other forms of attack, such a denial-of-service attacks, O’Neill said.
So what can organizations do to better secure their APIs and the resources and information they expose?
Cyber criminals are constantly looking for opportunities to infect legitimate websites with malware. They can use infected websites to cryptomine, steal data, hijack systems, deface pages, and do other damage to harm a company’s reputation and impact their users. This can result in lost revenue, and regulatory fines, and potentially drive customers away.
SiteLock researchers recently reported that a website is attacked on average almost 60 times per day, and that 1% of all websites — about 19 million globally — carry malware at any point in time. Those often include websites from large, well-known companies. For example, Newegg, British Airways and Ticketmaster all recently fell prey to the Magecart credit card skimming malware.
It’s clear that anti-virus software, firewalls, and other prevention tools are not enough to defend against the steady stream of ever-evolving malware. Even if a company’s website is secure from external attackers, this does not mean the website is safe from infection from third-party content providers or advertising used on the website.
Firewalls aren’t infallible, and neither are AV products. Perhaps most frustrating of all is that despite years of awareness training, employees still inadvertently click on malicious links and attachments, John Delaroderie, a Qualys Security Solutions Architect, said recently at Microsoft Ignite 2018.
“That’s why you need a superhero sidekick on your team — to find this malware, root it out at the source, and keep your website safe,” he said.
Qualys offers a wide array of security and compliance solutions for your organization. All capabilities are delivered from Qualys Cloud Platform. Visit Qualys Cloud Platform Apps to learn more.
But let’s narrow the discussion to web application security. To have a complete webappsec program, it’s important that ALL of your web applications have some level of security testing. Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture, accuracy, and ability to scale. However, performing manual penetration testing against your most business-critical applications is highly recommended to supplement automated scanning. Manual analysis complements scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.
One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS. With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.
With more web applications exposing RESTful (or REST) APIs for ease of use, flexibility and scalability, it has become more important for web application security teams to test and secure those APIs. But APIs (including REST APIs) introduce some behaviors that make it difficult for web application scanners to test them for vulnerabilities.
New features in Qualys Web Application Scanning (WAS) overcome these difficulties.
Web application scanners often struggle to scan applications that incorporate parameters into their URL paths, specifically web apps that use URL-rewrite techniques or web apps with REST APIs that take URL parameters. One key approach is to fuzz the application’s URL parameter inputs in order to identify possible injection points for malicious code. But without knowledge of the URL structure, it’s difficult for scanners to fuzz those parameters efficiently and with full coverage, which is required for an effective scan.
On March 8, 2017, Qualys published a detailed blog to describe a critical vulnerability in Apache Struts2 Jakarta multipart parser that exposes vulnerable applications to Remote Command Execution attacks. Exploits of this vulnerability can allow attackers to steal critical data or take control of your application servers.
Qualys Web Application Firewall (WAF) 2.0 allows you to create custom security rules to detect and block attacks that try to exploit this vulnerability.