All Posts

35 posts

Identify Threats in Frameworks that your Application Relies on with Qualys Web Application Scanning

Most organizations that have an application security program use web application scanning, also known as “Dynamic Application Security Testing” (DAST) to automate the identification of security vulnerabilities in their web applications. They use DAST technology to identify vulnerabilities in their own applications and those developed by their partners. However, many of these applications are based on popular frameworks such as WordPress, Joomla and Drupal. While utilizing these frameworks adds many commonly used features, they may also have unidentified vulnerabilities lurking in code that is not developed by the organization. Using a DAST solution like Qualys Web Application Scanning (WAS) can help organizations to identify and mitigate many of the vulnerabilities that may be hidden threats in these open-source frameworks.

Recently, Joomla fixed just such a vulnerability identified by scanning with Qualys WAS.

Continue reading …

XSS Vulnerability Shows How Security Issues Can Creep into Popular Software

After some testing work against the latest releases of two popular applications, Vanilla Forum 2.1.1 and Piwik 2.5.0, I found out that both suffer from cross site scripting (XSS) vulnerabilities caused by a lack of input validation. As a consequence, thousands of live websites using these applications are exposed to XSS attacks due to the wide usage of these two open source web applications.

How Were These Vulnerabilities Introduced in the Application?

When tracking the roadmap of Vanilla Forums, I was surprised that Vanilla Forums developers were actually using a filter to remove dangerous characters from the user-supplied value of parameter DeliveryType in the previous Vanilla 2.0 version (tested with Vanilla 2.0 version).  I could not figure out the reason for removing the filter, but I assume it was accidental. When it comes to Piwik, the vulnerabilities were introduced when a new function was added into Piwik since Piwik 2.2.0 was release on April 7, 2014. When the new function was implemented, no security method was adopted to remove potential security threats. Just give another peek at the roadmap of the security report of Piwik, and you will find that there is a long history of fighting against XSS in this application. But it was hard to eliminate this kind of vulnerability completely because there are always new features added. Same thing happens to Vanilla Forums. A lot of vulnerabilities have been reported and fixed in the past several years if you check the CVE List. However, Vanilla is still suffering from XSS vulnerabilities that were actually eliminated in the previous version. These two examples are not going to conclude that new version is worse than an older version from a security perspective. But it should make you keep in mind that it is very likely that risks of security threats are growing with new features or changes in your web applications due to neglect or lack of security background when the changes or features are implemented in your applications.

Continue reading …

The Best of OWASP – Global AppSec Conference and the 2013 WASPY Awards

The recent Global OWASP AppSec conference the week of November 18 – 22 at the Marriott Marquis in New York City was a great way to learn more about the latest trends in application security and exchange ideas with other application security professionals.  The conference included updates on many of the OWASP projects as well as some interesting presentations such as:

  • OWASP Zed Attack Proxy – Simon Bennetts
  • Hack.me: a new way to learn web application security – Armando Romeo
  • The Perilous Future of Browser Security – RSnake

Continue reading …

Hacking into WordPress Using a Vulnerable Plug-in

WordPress is currently the most popular blogging system in use on the Web, powering over 60 million websites worldwide. There are over 15,000 WordPress plug-ins that extend the functionality of WordPress. But these plug-ins also add numerous security risks making the website vulnerable to attacks. Although core WordPress vulnerabilities exist and may be more challenging to find, most WordPress attacks these days are results of plug-in vulnerabilities followed by default passwords and obsolete software.

Recently, I started exploring various WordPress plug-ins to test if installing a plug-in made the site more vulnerable, and to determine how big of a concern the security of the plug-in was. I started with a few of the popular and top-rated plug-ins. During that exercise, I discovered an HTML Code and Script Injection Vulnerability in the WP Photo Album Plus plug-in.

Continue reading …

Clickjacking: An Overlooked Web Security Hole

Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with an iframe. This malicious technique can potentially expose confidential information or, less commonly, take control of the user’s computer. For example, on Facebook, a clickjack can lead to an unauthorized user spamming your entire network of friends from your account.

We’ve known about clickjacking, also called “UI redress attacks,” for years now, as they were originally described in 2008 by Robert Hansen and Jeremiah Grossman. There are countermeasures that web sites can implement to protect against clickjacking attacks, such as framebusters, the X-Frame Option and some client-side plug-ins that can be installed in the browser. However, recent studies have shown that web sites may not be taking this vulnerability seriously – or at least they aren’t attempting to protect their web sites from clickjacking.

Continue reading …