Cybersecurity
DevOps Cloud
IT Operations Cloud
Hello WebInspect users! We are currently creating a new set of capabilities to detect out-of-band vulnerabilities and a new technique called OAST (Out-of-Band Application Security Testing).
The log4Shell vulnerability (CVE-2021-44228) everyone has been talking about is one of these, specifically it causes Log4J to request a lookup be performed against a malicious LDAP server. This is an out-of-band attack because nothing reflects to the attacker, the attack goes to a third machine, the malicious LDAP server.
How we will detect it
We are standing up a public service that can be used to capture the out-of-band attacks. WebInspect can then query this service and, by providing a shared secret key, determine if the server under testing was vulnerable.
For customers who are testing internal networks without access to the public service there will be an internal docker container that can be used.
This new service will not only be used for the log4Shell exploit, but other interesting attacks as well (list in the slide below.)
How to get it:
Again, our goal with this update is to keep WebInspect on the cutting edge of all things AppSec. A validation of how WebInspect is at the top of the class in the AppSec industry is our attainment of a perfect score of 5.0 in the 2021 Gartner MQ for AppSec Testing for DAST. With this new OAST capability, we’re just making it even better. Shoutout to all our WebInspect users!