Back to qualys.com
33 posts

Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776

A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.

Update August 24, 2018: A dashboard for this vulnerability is now available to download.

Continue reading …

Introducing a Burp Extension for Integration with Qualys Web Application Scanning

For a complete web application security program, it’s important that all your web applications have some level of security testing.  Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture and ability to scale.  However, performing manual penetration testing of your business-critical applications in addition to automated scanning is highly recommended.  Manual analysis complements automated scanning by identifying security holes such as flaws in business logic or authorization that an automated scanner would be incapable of detecting.

One of the most popular tools for manual testing of web apps is Burp Suite Professional. This month Qualys introduced a Burp extension for Qualys WAS to easily import Burp-discovered issues into Qualys WAS.  With this integration, Burp issues and WAS findings can be viewed centrally, and webappsec teams can perform integrated analysis of data from manual penetration testing and automated web application scans. The combined data set may also be programmatically extracted via the Qualys API for external analysis.

Continue reading …

Qualys WAS Introduces Swagger Support for REST API Security Testing

In the world of application security, testing REST APIs for security flaws is important because APIs can have many of the same application-layer vulnerabilities as browser-based web applications. Examples are SQL injection, command injection, and remote code execution. With the recent release of Qualys Web Application Scanning (WAS) 6.0, testing your REST APIs is easier than ever thanks to support for Swagger.

About Swagger

Swagger is a widely-adopted specification that allows for programmatically describing REST APIs. This is accomplished via a Swagger file, which may be in either JSON or YAML format. The Swagger file provides all the details about the APIs and how to invoke them. This includes information like the HTTP verbs to use (GET, POST, PUT, etc.), the URL paths, allowable parameters and types, authentication mechanisms, and so on.

Continue reading …

Continuous Web Security Assessment for Production and DevOps Environments

Web applications have become essential for business, as they simplify and automate key functions and processes for employees, customers and partners, making organizations more agile, innovative and efficient.

Unfortunately, many web applications are also unsafe due to latent vulnerabilities and insecure configurations. Web application attacks rank as the most likely to trigger a data breach, according to the 2016 and 2017 editions of the Verizon Data Breach Investigations Report.

Those findings are consistent with SANS Institute’s 2016 State of Application Security Report, which found that “public-facing web applications were the largest items involved in breaches and experienced the most widespread breaches.”

“Insecure web applications are a real problem today,” Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, said during a recent webcast. “Web apps are a foothold into your organization for potential attackers.”

Continue reading …

Qualys WAS: New Detections for XML External Entities (XXE)

In the new 2017 edition of the OWASP Top 10, XML External Entities (XXE) make their first appearance at #A4 on the list. Qualys is pleased to announce that Qualys Web Application Scanning (WAS) engine 4.4 includes new detection capabilities for XXE vulnerabilities.

Continue reading …

Case Study: Cisco Group Bakes Security into Web App Dev Process

“To know what is right and not do it is the worst cowardice.”

That phrase was uttered by Confucius 2,500 years ago, but reflects the spirit behind a recent revamp of a Cisco web app development process that made it more effective and secure.

“This is important as we talk about the secure software development lifecycle, because we weren’t doing what we needed to do, even though we knew what was right,” said Robert Martin, security engineer in Cisco’s Government Trust and Technology Services group.

In a nutshell, the process had fallen into a vicious cycle that pleased no one: Little communication between developers and security pros, combined with late vulnerability scans, yielded buggy software that had to be belatedly fixed, leading to missed deployment deadlines.

“We were making the same mistakes over and over again, and we weren’t making any corrections,” Martin said.

Sound familiar? This is a scenario in which countless organizations have found themselves. After years of using a linear, siloed model for creating and releasing software, organizations discover that this approach doesn’t work well in the era of rapid, agile web development and deployment.

To the credit of Martin and his group, they did something about this, instead of simply plodding along and settling for the status quo.

Continue reading …

Lessons Learned from SQL Injection Fix in Joomla 3.7.0

The Joomla community recently patched a SQL injection vulnerability introduced in Joomla 3.7.0. The article reporting this vulnerability explains how to identify the vulnerability (which was discovered via static code analysis) and how to craft an attack, e.g.

http://example.com/joomla/index.php?option=com_fields&view=fields&layout=modal&
list[fullordering]=exploitation_code

After reviewing the description of the vulnerability, I wondered whether an automated web application scanner, known as a DAST (Dynamic Application Security Testing) tool, could identify an instance of this vulnerability without digging into the source code.

Continue reading …

Virtual Patching: A Lifesaver for Web App Security

Here’s a common scenario organizations increasingly face: Too many web apps with too many vulnerabilities and no chance for immediate remediation.

In the interim, the organization is left exposed to potentially devastating breaches, at a time when web apps have become one of cyber attackers’ favorite targets.

Continue reading …

PCI DSS v3.2 & Migrating from SSL and Early TLS v1.1

SSL & Early TLS vulnerabilities such as QID 38628 “SSL/TLS Server supports TLSv1.0”\ will be marked as a Fail for PCI as of May 1, 2017 in accordance with the PCI DSS v3.2.  For existing implementations, merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation & Migration Plan, which will result in a pass for PCI until June 30, 2018.

Continue reading …

Microsoft IIS 6.0 Buffer Overflow Zero Day

A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.

The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.

Continue reading …