10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Qualys previously announced the introduction of Qualys Periscope in 2020. This technology allows Qualys Web Application Scanning (WAS) to detect out-of-band vulnerabilities such as server-side request forgery (SSRF). Qualys Periscope provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to Qualys Periscope. This article will provide more detail on the common questions/situations seen with out-of-band detections.
As of publishing, the vulnerability detections that utilize Qualys Periscope are:
The detection mechanism consists of the following steps:
When Qualys WAS scans a web application for out-of-band vulnerabilities, it fuzzes/injects the fields with specially-crafted payloads. Different payloads are used for different vulnerability types. In this example, WAS scans the web app at “www.example.com”. Imagine this web app includes functionality to display an image that is retrieved from a specific URL. To test for SSRF, a request similar to the one below would be sent by the scanner. Here we see the field being fuzzed is the “url” query string parameter, and the specific payload is for SSRF.https://www.example.com/loadImage?url=http%3A%2F%2F2a3b948a2b0a.1463985_40627.1466122137.ssrf01.ssrf.in03.qualysperiscope.com
If the scanned web application is vulnerable, it tries to make the following HTTP request but first must resolve the FQDN having a domain of qualysperiscope.com mentioned in the payload.
http://2a3b948a2b0a.1463985_40627.1466122137.ssrf01.ssrf.in03.qualysperiscope.com
Now, as a part of the DNS resolution process, the request will hit Qualys Periscope’s DNS service. The DNS service initially processes the request to verify the hash embedded in the request is valid. This ensures the lookup request is genuine and was generated from a WAS scan. Once everything is verified, Qualys Periscope logs the request internally. If verification fails, the request is simply dropped.
Subsequently, Qualys WAS will ask for the lookup request data from Qualys Periscope along with the scan ID and a hash. Qualys Periscope again verifies the hash and serves the external request data corresponding to that scan ID (if present).
The data received from Qualys Periscope is in JSON as below:
{ "lookup": "A-record" "request": "2a3b948a2b0a.1463985_40627.1466122137.ssrf01.ssrf.in03.qualysperiscope.com", }
Web Application Scanning (WAS) processes the data received from Qualys Periscope, and reports the vulnerabilities corresponding to the payload which were successfully executed.
Qualys WAS sends a unique URL for each vulnerability test. This allows a correlation between the injected value and the request received by Qualys Periscope. We can be sure which injection caused the external service interaction. What may be less clear is what system made that request to Qualys Periscope.
As the detection is executed against an application, the injection point is known. This is apparent from the QIDs:
QID 150557 - Apache Spark Shell Command Injection Vulnerability (CVE-2022-33891)
QID 150258 – Server-Side Request Forgery (SSRF)
Since unique dynamic URLs are used, the address must be resolved via DNS. Typically, the target application will not resolve the DNS itself. A DNS resolver will query through the DNS hierarchy to resolve the address. Therefore, the DNS request that comes to the Qualys Periscope server may be from a DNS resolver or other system that is not the target application/server. The numerous devices/software in a networked system can lead to any number of devices being the source of the DNS request. Proxies, reverse proxies, firewalls, web application firewalls, load balancers, host-based security software, etc., could all potentially issue the request, and we have observed cases where that has occurred.
When a Qualys Periscope detection occurs during a CVE-based QID, you can be assured it is valid. However, there are times when the non-CVE detection could be false positives. Take a contact form on an application. This form takes a name and a message. If Qualys WAS injects the Periscope URL in the message body, most likely, the email will be sent. This email then hits an email security appliance that performs a reputation check on the URL. There is no history for the URL as it is dynamically created, so the service visits the URL to evaluate it. First, it must resolve the DNS address, which would result in the Qualys Periscope server receiving the request from the email security provider. A similar situation may occur if the request with Periscope URL results in an error. This error could be logged, and an email is sent to the application administrator. As the URL is now in an email, the email security system checks the URL and results in a hit to Qualys Periscope.
Internal systems may not have Internet access which is required to reach our Qualys Periscope system. If a proxy is required, the injected URL cannot use that path. SSRF does not need to reach out to a network to cause issues. If an attacker has knowledge of the internal network, they could use SSRF to pivot/make requests to an internal server.
Even when a different system makes the request, it is advised to mitigate the issue at the application level. Focus on the injection point in the scan report. Should this field, parameter, and header value accept untrusted URLs? Applications should not accept untrusted input. If you must accept URLs, whitelist the approved URLs.
Ultimately, the customer's organization is better equipped to investigate false positives than Qualys support. Because unique URLs are utilized, Qualys can be confident the scan did trigger a system to make the DNS request. Application owners/developers and network engineers should know the inner workings of systems necessary to determine where the request originated. As Qualys Periscope is not available outside of scan, if additional testing or verification is needed, consider using interactsh available here, or the hosted version at app.interactsh.com. Once the vulnerability is addressed, rescan with Qualys WAS to close the detection.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C