Indusface Product Newsletter - August 19

Updated 3 weeks ago by aparna

August 2019 Edition

Greetings! Its been a while, apologies for that. Lot has changed since the last update, lets look at the highlights.



WEB APPLICATION SCANNING



On the WAS side, the major focus remained on improving the coverage and continuing in providing additional value to our customers. Major advances made on WAS side are as follows:


Signature Updates


Signatures were updated/added to find additional vulnerabilities. Details below:

PHP Deserialization

PHP Deserialization is triggered when an attacker abuses unauthenticated deserialization that leads to arbitrary file deletion or code execution, because of unsafe usage of PHP's unserialized function in publicly exposed API.

Ruby on Rails XML/JSON Processor YAML Deserialization Code Execution Vulnerability (CVE-2013-0156)

Ruby Deserialization RCE vulnerability in the XML request processor vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application & can compromise the system with authentication bypass or Denial-Of-Service attacks. This has been tested against 3.x & 2.x versions of RoR which are vulnerable.

Browsable Web Directory

This will be triggered when a web directory is found to be browsable, which means that anyone can see the contents of the directory. Browsable directories could allow an attacker to view "hidden" files in the webroot, including CGI scripts, data files, or backup pages.

Oracle Web Logic Server Deserialization Remote Command Execution Bypass Vulnerability (CVE-2019-2729)

Oracle WebLogic servers include wls9_async_response.war and wls-wsat.war packages by default which provide asynchronous communication for WebLogic Server service. These WAR packages can be misused when deserializing input information and an attacker can send a constructed malicious HTTP request to gain the permissions of the target server and execute the command remotely without authorisation.

HTTP TRACK Method

The HTTP TRACK method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACK request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack.

Session Cookie Manipulation

A cookie is a piece of information sent by a web server to store on a web browser which stores some specific personal information. If misconfigured then it can lead to dangerous vulnerabilities such as XSS, SQL, session fixation etc.

Cookie Overly Broad Path

The cookie 'path' attribute signifies the URL or path for which the cookie is valid. If an overly broad path like root '/' is specified in the cookie then it is accessible through other applications on the same domain. Exposing the cookie to all web applications on the domain can lead to sensitive information disclosure like session identifier, etc. and can cause one application to compromise another application.

Weak Session ID

The cookie 'session-ids' attribute signifies the authentication of the user. If it's weak and predictable, then it may cause for session hijacking attacks where the attacker can impersonate as an authentic user and use the application maliciously.

XML External Entity (XXE) Injection Vulnerability

An XML External Entity (XXE) is a parameter parsed entity that can access local or remote content via a declared system identifier which is assumed to be a URI that can be accessed by the XML processor when processing the entity. An XML input containing a reference to an external entity processed by a weakly configured XML parser can lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Improved Categorisation of vulnerabilities

To provide more clarity to the vulnerabilities found, summarization by OWASP top 10 categories are added to the Application Audit reports and dashboard.

Summary Screenshot

Reports Screenshot

Scan feasibility mail sent to customer

We have observed over time that, customers Infra keeps changing and many a time one team is not aware of the changes done by another team. In such cases, due to any changes like firewall settings change at customer infra, scanner requests may be blocked and scan may not be successful. To provide visibility into such issues, our scanner before starting any new scan for a site will do a probe to see if there are any blocks. If the probe is blocked then an alert would be sent to the customer informing the scan is not feasible and asking them to take corrective actions.

CWE-ID

ID has been added for each vulnerability. Common Weakness Enumeration (CWE) is a category system for software weaknesses and vulnerabilities. CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers. CWE-ID has again been added to both reports & dashboard.

APPTRANA & TAS


On the AppTrana side, major changes continue in the direction of providing more stability and providing more enterprise friendly features to our customers.


Portal Updates 

AutoBypass Feature: (Applies only for SaaS customers)

One of the major changes that went live for all our SaaS customers last quarter is the implementation of auto bypass for SaaS sites. As you are aware, we are the only SaaS WAF provider who provides fail-open in the cloud with our bypass feature, but till now that was used only manually. Now, we have enabled an automated feature where every site will be checked for availability continuously by our monitoring system. In case of any availability issue, a check is done if the issue is due to WAF. If any availability issue is identified at WAF level then the site is auto bypassed to ensure continuous availability of the site, meanwhile, the internal team is notified to take corrective action.

Implementation of Pagination

To accommodate our enterprise customers and improve their user-experience, pagination was added to the dashboard. With this if the customer has multiple sites then the information will be available in more usable way paginated in the dashboard, customer can use the search button on the top to navigate to the specific site they are looking for. We have received a request from some of the customers to provide the ability to download information on this page in Xls as reports. This will go live in a few days.

Pagination Screenshot

Grant Type Authorization for SIEM API

As you are aware we released our SIEM API a while back. When we released this we had supported authorization through grant type – client credentials. But we received multiple feedback from our customers to support for grant type – Authorization code also, as many SIEM require authorization code support. Based on the feedback authorisation code grant type is added.

Learn how to Implement



Rule Updates

Cross-Site Scripting Rule Update (XSS)

Rule ID 405: (Premium Rule) A new rule was added for the premium sites where the rule will be triggered when an attacker tries to inject XSS vectors based on widely used HTML events like on-error, on-print etc.

Bugs Fixed

Summary report download issue is now fixed, where a report wasn't getting downloaded in the case of multiple attacks to report. When POC is available for a vulnerability, the image indicating POC is made clickable which will pop-up the actual POC Whitelisting URI issue where some URI pattern were not accepted is fixed. The issue in downloading scan report due to socket time out exception has been resolved. 2FA was not working in iPhone - the issue is now resolved. UI issue fixed- Dashboard table header has changed from "BANDWIDTH USED IN 30 DAYS" to "CURRENT MONTH'S BANDWIDTH USAGE".

File Injection

Rule ID 96 & 100: (Advance Rule) A couple of rules were updated in the File Injection category where these rules will be triggered when an attacker injects critical remote file names like /etc, /httpd.conf … to access or read them. These rules are updated for both our advance and premium customers.


How did we do?


Powered by HelpDocs