As part of our efforts at CyberRes to address the Log4j vulnerability, we are continuing to analyze this remote code execution vulnerability and address it. As you know, Log4j burst onto the scene last month and now Open Source Software is in the headlines as a national security issue. Just this week, the White House held a meeting with tech leaders to discuss Log4j, software security, and open source tools.
In light of all this, we are creating a new set of capabilities for Fortify WebInspect to detect out-of-band vulnerabilities and a new technique called OAST (Out-of-Band Application Security Testing).
The log4Shell vulnerability (CVE-2021-44228) everyone has been talking about is one of these, specifically it causes Log4j to request a lookup be performed against a malicious LDAP server. This is an out-of-band attack because nothing reflects to the attacker, the attack goes to a third machine, the malicious LDAP server.
How we will detect it
We are standing up a public service that can be used to capture the out-of-band attacks. WebInspect can then query this service and, by providing a shared secret key, determine if the server under testing was vulnerable.
For customers who are testing internal networks without access to the public service there will be an internal docker container that can be used.
This new service will not only be used for the log4Shell exploit, but other interesting attacks as well (list in the slide below.)
How to get it:
- WebInspect: Install 21.2 and Smartupdate to get the new check
- WebInspect Enterprise: Install WIE Server 21.2 and Sensors 21.2 and Smartupdate the sensors
- ScanCentral DAST: Install SCDast 21.2 and pull the latest version of the WI Sensors version 2.1
Again, our goal with this update is to keep WebInspect on the cutting edge of all things AppSec. A validation of how WebInspect is at the top of the class in the AppSec industry is our attainment of a perfect score of 5.0 in the 2021 Gartner MQ for AppSec Testing for DAST. With this new OAST capability, we’re just making it even better. Shoutout to all our WebInspect users!
Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.