Detect Log4shell with Fortify WebInspect


Hello WebInspect users! We are currently creating a new set of capabilities to detect out-of-band vulnerabilities and a new technique called OAST (Out-of-Band Application Security Testing).

The log4Shell vulnerability (CVE-2021-44228) everyone has been talking about is one of these, specifically it causes Log4J to request a lookup be performed against a malicious LDAP server. This is an out-of-band attack because nothing reflects to the attacker, the attack goes to a third machine, the malicious LDAP server.

How we will detect it

We are standing up a public service that can be used to capture the out-of-band attacks. WebInspect can then query this service and, by providing a shared secret key, determine if the server under testing was vulnerable.

For customers who are testing internal networks without access to the public service there will be an internal docker container that can be used.

This new service will not only be used for the log4Shell exploit, but other interesting attacks as well (list in the slide below.)

How to get it:

  • WebInspect: Install 21.2 and Smartupdate to get the new check
  • WebInspect Enterprise: Install WIE Server 21.2 and Sensors 21.2 and Smartupdate the sensors
  • ScanCentral DAST: Install SCDast 21.2 and pull the latest version of the WI Sensors version 2.1

Again, our goal with this update is to keep WebInspect on the cutting edge of all things AppSec. A validation of how WebInspect is at the top of the class in the AppSec industry is our attainment of a perfect score of 5.0 in the 2021 Gartner MQ for AppSec Testing for DAST. With this new OAST capability, we’re just making it even better. Shoutout to all our WebInspect users!


Comment List