All Posts

44 posts

As Web Apps Become Top Data Breach Vector, Protecting Them is Critical

There’s one thing that businesses, their customers and cyber criminals have in common: They all love web applications. The reasons for their affection, of course, vary.

Web apps add agility to organizations’ operations such as sales, marketing and customer support, and make business transactions more convenient for customers. Meanwhile, hackers salivate at web apps’ often porous attack surfaces and at their links to backend databases full of confidential information.

With web apps now a key tool for millions of businesses, as well as a major target for criminals, a troubling trend is emerging: The number of successful attacks against them is rising, along with the costs to recover from the resulting data breaches.

As web services power digital transformations in B2B and B2C e-commerce, mobility, IoT and cloud computing, organizations must prioritize web app protection, which infosec teams have historically overlooked.

Continue reading …

Thwarting SQL Injection: Defense in Depth

SQL as a language is vulnerable to injection attacks because it allows mixing of instructions and data, which attackers can conveniently exploit to achieve their nefarious objectives.

The root cause behind successful SQL injection attacks is the execution of user-supplied data as SQL instructions. This classic cartoon illustrates the perils of trusting user inputs, and how they can lead to a successful SQLi attack:

From the webcomic xkcd:

Did you really name your son Robert'); DROP TABLE Students;--

Continue reading …

Testing AJAX Applications with JSON Input for Vulnerabilities Using Qualys WAS

Qualys Web Application Scanning 4.9 has added the capability to run web app vulnerability scans on AJAX applications that use JSON input. Specifically, WAS 4.9 can test for SQL injection (SQLi), local file injection (LFI) and PHP command injection. Many web application scanners are capable of detecting SQL injection, LFI, PHP command injection and other vulnerabilities in web applications that use standard GET/POST requests, but they fail to find the same in applications that use JSON input in POST data. To analyze and detect vulnerability in JSON requests, WAS 4.9 added the capability to execute some AJAX scripts in automatic scanning without manual intervention. This capability relies on the SmartScan feature, which customers need to enable in their subscriptions.

Continue reading …

WAS 4.6 Adds Option to Remove Unused Assets from Subscription when Deprovisioning

Previously when deprovisioning an asset in Qualys Web Application Scanning (WAS) and Web Application Firewall (WAF), we were not able to delete the associated asset in the platform visible in AssetView (AV). This feature has now been added to Qualys WAS and Qualys WAF.

Continue reading …

Protect Against the Joomla SQL Injection Vulnerability

Joomla logoA few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.

Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.

Continue reading …

Clickjacking: A Common Implementation Mistake Can Put Your Websites in Danger

The X-Frame-Options HTTP response header is a common method to protect against the clickjacking vulnerability since it is easy to implement and configure, and all modern browsers support it. As awareness of clickjacking has grown in the past several years, I have seen more and more Qualys customers adopt X-Frame-Options to improve the security of their web applications.

However, I have also noticed there is a common implementation mistake that causes some web applications to be vulnerable to clickjacking attack even though they have X-Frame-Options configured. In this article, I describe the implementation mistake and show how to check your web applications to ensure X-Frame-Options is implemented correctly.

Continue reading …

WordPress: When Half of all Websites are Vulnerable

On April 21, WordPress issued a critical security release and “strongly encouraged” their customers to update their webites “immediately.” In general, the use of these alarming terms is symptomatic of a significant threat. And it is indeed.

WordPress is so overwhelming the CMS market that nearly 50% of all websites are based on it. This recent security release fixes multiple vulnerabilities so important that an attacker may be able to obtain administrator access on any of those millions of websites. The most sensitive vulnerability is targeting WordPress version 4.1.1 and earlier.

Continue reading …

How a Missing Security Check Enabled a CSRF Attack

Cross-site scripting (XSS) and cross-site request forgery (CSRF) have been well-known attack vectors for a long time. In my previous articles, I describe how XSS vulnerabilities can be used to attack popular open source web applications and application frameworks, and how some web applications are compromised by CSRF attacks because of implementation flaws on the server side.

Attackers can also combine these two vulnerabilities to launch attacks that bypass prevention measures. This article illustrates how an attacker could execute a XSS attack to get the anti-CSRF token, which could then be used in a CSRF attack to gain administrator privileges in the application.

Continue reading …

Do Your Anti-CSRF Tokens Really Protect Your Web Apps from CSRF Attacks?

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim’s browser into executing malicious requests designed by the attacker.  A successful CSRF attack can force the victim’s browser to perform state-changing requests like transferring funds or changing his email address. Clearly these are attacks that need to be prevented.

Continue reading …

Identify Threats in Frameworks that your Application Relies on with Qualys Web Application Scanning

Most organizations that have an application security program use web application scanning, also known as “Dynamic Application Security Testing” (DAST) to automate the identification of security vulnerabilities in their web applications. They use DAST technology to identify vulnerabilities in their own applications and those developed by their partners. However, many of these applications are based on popular frameworks such as WordPress, Joomla and Drupal. While utilizing these frameworks adds many commonly used features, they may also have unidentified vulnerabilities lurking in code that is not developed by the organization. Using a DAST solution like Qualys Web Application Scanning (WAS) can help organizations to identify and mitigate many of the vulnerabilities that may be hidden threats in these open-source frameworks.

Recently, Joomla fixed just such a vulnerability identified by scanning with Qualys WAS.

Continue reading …