Table of Contents

Indusface Product Newsletter - February 2023

Rama Sadhu Updated by Rama Sadhu

Jan 2023 Edition

Learn about the recent launches and updates to the product.

------------------------------------------------------------------------------------------

AppTrana Updates

Global Actions

This feature provides the ability to whitelist/ blacklist IPs, IP Ranges, and Countries across all sites. The major advantages that AppTrana (customer admin) users get: 

  1. Autonomously whitelisting/ blacklisting parameters (IPs/ Countries) across all sites. 
  2. Transparency & Control to view/ change the whitelisted/ blacklisted parameters. 
  3. Know more about it in our blog here
  4. This feature is available in the Settings panel as shown below: 
Graphical user interface, application
          
          Description automatically generated

Hybrid Sites
  • A new product enhancement to AppTrana that specifically protects “Hybrid Sites”. Hybrid sites are sites that have both their session-based and API calls in the same domain name. 
  • All AppTrana users using the API Protection Premium plan can use this feature. 
  • To know more about how to use this feature better, read our document here
  • This feature is available in the Overview > Add Application.

Graphical user interface, application
          
          Description automatically generated

Graphical user interface, text, application
          
          Description automatically generated
Comprehensive Analysis Across All Sites
  • In the Analysis panel, users can now find all the Vulnerabilities, Attack Logs, Access Logs across All Sites and not just for an individual site. 
  • Also, you would also be able to download these details in the csv format as shown here: 
Event Logs
  • Provides the list of activities on the website level, along with the details about the user actions on the portal. 
  • This feature is available in the Analysis panel as shown below:   

WAS Updates

Rescan/ Revalidate Scan
  • With this feature, users can quickly rescan and revalidate their previous scan’s results. Thus, users can essentially save time on checking if the initially detected vulnerabilities in the previous scan have been fixed or not.  
  • This feature is available in the Application Audit panel. 
  • The Start Rescan button will be enabled only if there is a scan record present in the selected website. 
  • All Indusface WAS users can use this feature. 
  • To know more about how to use this feature better, read our document here.

Single Sign On (SAML integration with Azure)
  • This authentication method enables users to use one set of login credentials. Different credentials aren't required anymore for different accesses, it’s just one account and your users will be authorized to login to the WAS portal.  
  • Only the admin can use this feature. 
  • The major advantages that users get are: 
  • Quick access 
  • Password-less Authentication 
  • By configuring SAML-based SSO (Single Sign-On) with Azure, you can allow your users to connect to WAS using their Azure credentials.  
  • To know more SAML integration with Azure for Single Sign On functionality, read: https://docs.indusface.com/getting-started-was/saml-integration-with-azure-for-single-sign-on 
  • To setup the SSO Configuration, check the Settings panel as shown in the screenshot below: 

 

Vulnerability Whitelisting(AA, VA, MM, and API)
  • Allows customers to whitelist the vulnerabilities and plugins as per the need to avoid false positives. 

OpenVAS Whitelist Plugin Changes
  • When the admin whitelists any plugin, then, we do not report that plugin in the scanning report even if it is found during the scan.  
  • This allows users to decrease their false positive count.   
MM Marking/ Unmarking of False Positives
  • There is now a provision to mark a particular vulnerability as a false positive for the MM alerts. If the MM scanner has found the vulnerability but the user wants to mark it as a false-positive, then, our WAS admin would mark that alert as a false positive from the WAS admin portal.  
  • This allows the admin to whitelist the vulnerabilities. 
  • This feature can be used by admins only. 

Sigdev Labs

The following signatures are added to our scanner to identify the new vulnerabilities.

Path-relative Stylesheet Import (PRSSI)

It is a MIME type confusion vulnerability in web-page styles. It occurs if relative links of the form <link href='folder/styles.css' are used to refer to style files. If an attacker has the ability to add his own text to the content of a page that loads CSS styles using relative paths, he has the opportunity to inject his own CSS rules.

Weak TLS CBC Cipher

SL TLS CBC Cipher Suite Detection (59323) was built to detect what has been termed as the POODLE vulnerability, a vulnerability within Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers. This vulnerability lets an attacker eavesdrop on communication encrypted using SSLv3 (CVE-2014-3566). 

Insecure Content Security Policy (CSP)/X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> , <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

ASP.NET Version Disclosure

Due to this, hackers gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of ASP.NET.

Web Server Version Disclosure

Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users. Depending on the context, websites may leak all kinds of information to a potential attacker, including the data about other users, such as usernames or financial information.

XSS API

Cross-site scripting attacks, also called XSS attacks, are a type of injection attack that injects malicious code into otherwise safe APIs. An attacker will use a flaw in a target API to send malicious code. 

Cross Origin Resource Sharing (CORS)

It is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request. 

Application-Error Message

Application error or warning messages may expose sensitive information about an application's internal workings to an attacker. These messages may also contain the location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the affected page(s).

Defacement

Defacement refers to gaining access to the website and making some visible or hidden malicious changes. It may result in any sort of change to the content, script, site structure, etc. A compromised section on the site could be leveraged by the attacker to deface your web presence and eventually affect your business reputation.

X-XSS-Protection Header Disabled

A disabled X-XSS-Protection header which means that this website could be at risk of a Cross-site Scripting (XSS) attacks. 

HTTP Verb Tampering

An attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods. 

X-permitted Cross Domain Policies

A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. 

DNSSEC Unsigned

DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography.

Content Injection

Content Injection is an attack that injects arbitrary characters into a web page. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value which is then reflected in the page. 

JWT None Algorithm

JSON Web Token (JWT) can be digitally signed for protection against data tampering. The JWT specification also defines the "none" algorithm, which can be used with "unsecured" (unsigned) JWTs.

SSL Certificate Common Name Mismatch

A common name mismatch error occurs when the common name or SAN of your SSL/TLS Certificate does not match the domain or address bar in the browser. This can happen simply by visiting https://example.com instead of https://www.example.com if the certificate does not have them both listed in the SAN of the certificate.

Weak Encoding for Password

Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password. 

Local File Inclusion (LFI)

Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. 

Remote File Inclusion (RFI)

Remote file inclusion attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function. 

Unvalidated Redirection

Unvalidated redirect vulnerabilities occur when an attacker can redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect. 

Log Injection

Writing invalidated user input to log files can allow an attacker to forge log entries or inject malicious content into the logs. This is called log injection. Log injection vulnerabilities occur when: Data enters an application from an untrusted source. The data is written to an application or system log file. 

XPATH Injection

These attacks occur when a web site uses user-supplied information to construct an XPath query for XML data.

External Entity Injection

XXE attacks allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back end or external systems that the application itself can access.

URL Redirection Attack

URL Redirection is a vulnerability which allows an attacker to force users of your application to an untrusted external site. The attack is most often performed by delivering a link to the victim, who then clicks the link and is unknowingly redirected to the malicious website. 

SSRF

This attack allows an attacker to induce the server-side application to make requests to an unintended location.

ASP.NET Tracing Enabled

It discloses sensitive information to users, and if enabled in production contexts may present a serious security threat. Application-level tracing enables any user to retrieve full details about recent requests to the application, including those of other users. 

XML RPC Found

Vulnerability in XML-RPC allows an attacker to make a system call which can be dangerous for the application and servers. Also, an attacker can use this method to craft a successful DOS attack against the application. 

Directory Listing

Web servers can be configured to automatically list the contents of directories that do not have an index page present. This can aid an attacker by enabling them to quickly identify the resources at a given path and proceed directly to analyzing and attacking those resources. It particularly increases the exposure of sensitive files within the directory that are not intended to be accessible to users, such as temporary files and crash dumps. 

Core Dump File

A core dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has terminated abnormally (crashed). Core dumps are often used to assist in diagnosing and debugging errors in computer programs. The content of core dump files is highly sensitive as they contain the extact contents of the working memory including credentials, user data and so on. 

Possible Backup File

These files are usually created by developers to back up their work and could be susceptible to attacks. 

WAF Rule Updates

AppTrana now safeguards your applications against the following vulnerabilities and attacks. 

Path Traversal Coverage

Rule to cover encoded payloads.

Advanced SQL Injection

Detects JSON-based SQL injection attempts in HTTPS URI and arguments.

Java Attacks

Detects Java class reflection usage to execute methods that allow OS commands execution. 

How did we do?

Indusface Product Newsletter - August 19

Indusface Product Newsletter - June 20

Contact

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.