• Category: Insecure Interaction between Components (9 errors)
• Category: Risky Resource Management (9 errors)
• Category: Porous Defenses (7 errors)

As SANS Director Mason Brown said, every programming team must have the processes in place to find, fix, or avoid these problems and have the tools needed to verify their code is as free of these errors, as automated tools can verify.

From this report, one can clearly conclude that security awareness and secure coding training are indeed a must.  Also, programmers need automated testing tools to help them measure the security of the software they are writing and automatically train them to write secure code, since unfortunately, most of the errors are not well understood by the programmers themselves.

Read the full SANS’s report here.

As a matter of fact, while evaluating some leading web application firewalls, they also released 3 web application firewall advisories:

• Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service)
• phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution
• radware AppWall Web Application Firewall (Source code disclosure on management interface)

Some facts about WAF’s, which anyone considering of buying a WAF instead of securing his web application should read(quotes from the white paper’s conclusion):

1. the additional layer of defense (WAF) is partly porous and does not replace the secure development and operation of web applications.
2. It also must not be overseen that a web application firewall is an additional device that is placed between the client and the web server and is therefore an additional device that can have influence on the availability of the overall system.
3. It is also an additional system that can have vulnerabilities or other forms of implementation flaws and requires regular maintenance.
4. Additionally it has been shown that web application firewalls can also be the target of successful attacks (cross-site scripting flaws, cross-site request forgery, denial of service, command execution, etc.)
5. When defining rules for a specific web application or modifying the standard Ruleset it is very important to test the whole web application and all provided functions for their correct functionality.  This can for example be done using automated testing frameworks. In the course of the project often certain functionalities of the web applications used for testing have been rendered unfunctional because of predefined rules of the web application firewalls. As unexpected side effects like this can occur with every change of the rules or the web application itself, comprehensive testing is necessary.

Click here to read eval($WAF); whitepaper.

The presidential election protest in Iran, has already led to a range of hacktivism attacks against innocent websites, like the Oregon University System’s website.  The university’s website was defaced for about 90 minutes, and all visitors were redirected to a hacker controlled website, who posted a message criticizing the protests in Iran.  The message included insults aimed at US President Barack Obama, and made depreciatory comments about Iranian opposition leader Mir Hossein Mousavi.

The redirect didn’t harm visitors’ computers, or transfer any malware or viruses.  Still, such attack against your website can cost your business a good fortune, due to down time and bad reputation.  So, whatever the type of online audience your business has, it is always important to secure websites and web applications, as they are always a target!

Checking for SQL Injection vulnerabilities involves auditing your website and web applications. Manual vulnerability auditing is complex and very time-consuming. It also demands a high-level of expertise and the ability to keep track of considerable volumes of code and of all the latest tricks of the hacker’s ‘trade’.

Click here to read why an automated heuristic web vulnerability scanner such as Acunetix WVS, is a better solution than a signature-matching solution for detecting SQL injection vulnerabilities on your website or web application.

On 19th September 2007, and 26th January 2008, a Turkish hacker group known as “m0sted” successfully probed 2 U.S. Army web servers, by running a SQL injection attack against the web servers, which exploited a security vulnerability in Microsoft’s SQL Server database.

As a result of such hacks, users trying to access Army Corps of Engineers’ servers or McAlesters Munitions plant website, were redirected to other sites, such as www.m0sted.net.

If these web applications were properly audited with a web vulnerability scanner which can easily identify a SQL injection vulnerability, such as Acunetix WVS, such incident could have been easily avoided.  Proper user input sanitization is a MUST.  Once a website is available online, the web server port is wide open and the only hope one has is that all visitors play fair.  From the above, we can learn that if a website is vulnerable, a malicious user can easily gain access to the rest of the network.

Click here to read more about these breaches.

Follow us on Twitter http://www.twitter.com/acunetix

Though, the more functionality provided to the end user, the greater is the risk of having a vulnerable web application and the chance that such functionality will be abused from malicious users, to gain access to a specific website, or to compromise a server is very high.

The following white paper, talks about a number of common security issues and vulnerabilities encountered while auditing file upload forms in several well known web applications.  It also explains how to build secure file upload forms.

You can read this whitepaper from here

Read more about Acunetix and Version 6.5 release in this press release
Check out the FREE Version of Acunetix WVS V6.5 from here
Download the Acunetix WVS Version6 manual from here

The new features of Version 6.5 are:

• New Login Sequence Recorder, supports more authentication forms and web technologies.
• Session Auto Recognition module; the crawler will identify when a logged in session is invalided or expired and re-logins automatically.
• Actions drop down menu; for each highlighted node, the actions drop down menu is activated showing all possible functions.
• Much more JSP, Java and Tomcat checks and alerts

We also achieved the below major improvements with this version:

• Improved cookie management and session handling to support modern dynamic websites.
• Port Scanner and Network Alerts results appear as a separate node from the web alerts in the results view.
• Ability to import settings from Version 6 installation.
• Added Blind SQL injection timing test using MySQL’s sleep and MS SQL’s waitfor function.  This will help in discovering particular blind SQL injections that do not report a change on the page.

As Wendel Henrique explained, a WAF can help, but securing web applications is much more important.  Apart from that, implementing a WAF can cost a lot of time and money, and there is also the need to make network configuration changes.  On the opposite, scanning a web application with a web vulnerability scanner such as Acunetix WVS, helps you secure your web application without the need of web security expertise, and it saves you time.

Therefore as a conclusion, we can see that although a WAF adds an extra layer of protection, one should never rely on web application firewalls only, and should always ensure that web applications are secure.

You can read more about the OWASP Europe 2009 presentation on Web Application Firewalls vulnerabilities from the following link: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=217400819&cid=RSSfeed

With this latest version, Acuntix is launching a new set of checks which check for vulnerabilities in file upload forms.  To date, Acunetix WVS Version 6.5 is the only vulnerability scanner which tests websites and web applications for such vulnerabilities.  Such tests can take place even when not using AcuSensor Technology, but when such technology is enabled, the results are more comprehensive whilst reporting less false positives.

If you are interested in testing the new BETA of Version 6.5, and you already own an Acunetix WVS Enterprise or Consultant license with a valid maintenance agreement, contact us at beta@acunetix.com.

The new features of Version 6.5 are:

• File upload forms vulnerability checks
• New Login Sequence recorder; supporting much more authentication forms and web technologies
• Session Auto Recognition: during crawling, if the session is invalidated or logged out, the scanner will automatically replay the login sequence without the need for manual intervention
• Much more checks and alerts for JSP, Java and Tomcat web server
• Actions drop down menu; for each selected node, the actions drop down menu is activated showing all possible functions

We also achieved some major improvements with Version 6.5:

• Improved cookie management and session handling to support modern dynamic websites
• Port scanner results will appear as a single node in the results tree
• Users can import their settings from version 6 to version 6.5.
• Added blind SQL injection (timing test) using MySQL’s sleep and MS SQL’s waitfor functions.  This will help in discovering particular blind SQL injections that do not report a change on the page.

Please send your feedback or bug reports to beta@acunetix.com

The Free edition of Acunetix WVS Beta Version 6.5 can be downloaded from here.

Looking forward to hearing from you!