Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe Now Start Free
Blog Home  »  WAS Feature Update   »   Indusface Web Application Scanning Product Update
Managed WAF

Indusface Web Application Scanning Product Update

Posted DateApril 11, 2019
Author Bio
Posted Time 3   min Read

On the WAS side, our effort was to build upon the new scanner that we recently released and add features that would provide

Some of the major advances made on WAS side are as follows:

SIGNATURE UPDATE

Signatures were added to find the following vulnerabilities:

  1. Session ID scoped to parent domain: The session cookie is scoped to the parent domain instead of a sub-domain. if a cookie is scoped to a parent domain, then this cookie will be accessible by the parent domain and also by any other sub-domains of the parent domain. This could lead to security problems.
  2. XML RPC Vulnerability: XML-RPC is a remote procedure calling using HTTP as the transport and XML as the encoding. An attacker can abuse this interface to brute force authentication credentials using API calls.
  3. HSTS Missing From HTTPS Server: HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTP (HTTPS) connections. The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”. HSTS Policy specifies a period of time during which the user agent shall access the server in an only secure fashion. if this is missing then insecure agents would be able to connect.

GUIDED SCANS

Config-driven guided scan support was introduced. Guides are lists of actions that will be taken automatically when all elements defined in that set of actions are encountered during the crawl. Multiple guides can be defined per site. This will help the crawler go to pages which it could not go before because of the need for special actions. For example, say there is a multi-step wizard, where certain fields and inputs need to be provided to reach the next step unless the crawler knows what these actions are there is no way it goes further.

Now in such cases, a guided scan config can be added which tells the crawler exactly what actions need to be taken. For customers needing such ability are requested to contact our support team, they would write the necessary config for your site and add it.

SCAN CONFIGS

Also, we had enabled the ability to add certain site-specific configs which would help customers create certain exceptions like

  • Exclude URI from Attack: We have seen cases where there can be certain URI’s that customers want to crawl to as it is through this that other pages can be reached but do not want the attack to happen. in such cases, customers can get certain URI whitelisted from attacks. This can be done by reaching out to support@indusface.com
  • Crawl to foreign domain: By default, crawler does not crawl foreign domain, but in cases of SSO logins, etc, it becomes important to crawl certain foreign domain URI’s. Now, this can be done through a special config for a website. Please reach out to support to enable this.

AGING SUMMARY

We have added the Aging Summary widget for AA, MM and VA scans. With this customers can easily identify vulnerabilities that are older than a certain time period. Which would help customers prioritize the fix for vulnerabilities?

aging summary

BIFURCATION OF MANUAL AND AUTOMATED VULNERABILITY AS A WIDGET IN DASHBOARD

With this customers can clearly see the vulnerabilities found through Manual PT vs Automated scans in the application audit widgets in the portal using the Manual PT & Automated scan filters available in the widgets The changes are done both in the Dashboard page and application audit page

 

Bifurcation

Bifurcation Dashboard

web application security banner

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

What is penetration testing?
Penetration Testing: A Complete Guide

Penetration Testing, also called pen testing, is a process to identify, exploit, and report vulnerabilities in applications, services, or operating systems.

Read More
Indusface How to Maintain Security with Remote Workers
How Do You Maintain Secure Remote Working?

79% of organizations agreed that remote working had negatively impacted their cybersecurity. You must be prepared to address remote work security risks. Follow these best practices for secure remote working.

Read More
Web Vulnerability Scanning
How Indusface Web Vulnerability Scanner Works?

The average cost of data breaches in 2021 stands at a massive USD 4.24 million! What makes data breaches and cyber-attacks possible is the presence of unpatched/ unprotected vulnerabilities on the website/ web application. Vulnerabilities provide gateways to attackers to.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!