Why WAFs can’t catch VMware CVE-2021-21972 Remote Code Execution Exploit?

The recent critical security issue in VMware vCenter was discovered this January and fixed on February 23rd . The exploit looks like a simple JSP shell upload, but for some reason, its a blind spot for Web Application Firewalls WAFs. Lets understand why. The CVE-2021-21972 affects vCenter version...

Grammarly fixed XSS vulnerability that bypasses AWS WAF

Grammarly is the unicorn company that announced its open bug bounty program last September. Since that time, many security researchers posted their submissions and got paid well. Some of Grammarlys issues are also useful for others. Like the recent XSS, that also bypasses an AWS WAF. The recent X...

E-commerce under Brute-Force attacks: how Wallarm stops it

Most of the Wallarm e-commerce customers are running WAF protection with Brute-Force attacks protection functionality The post E-commerce under Brute-Force attacks: how Wallarm stops it appeared first on Wallarm...

Risks involved with operatorAliases in Sequelize

The risks involved with the operatorAliases option in Sequelize, the popular library for DBMSs The post Risks involved with operatorAliases in Sequelize appeared first on Wallarm Blog...

Build OWASP Top-10 2021 based on fair statistics

Unofficial OWASP Top-10 2021 predictions calculated by understandable metrics, which are possible for everyone to reproduce and be presented to an entire community for feedback. The post Build OWASP Top-10 2021 based on fair statistics appeared first on Wallarm Blog...

Consul by HashiCorp: from Infoleak to RCE

Consul is a software first released in 2014 for DNS-based service discovery. It provides distributed key-value storage, segmentation, and configuration. Registered services and nodes can be queried using a DNS interface or an HTTP interface. Wikipedia Basically, Consul ensures the coherence of...

WAF JSON decoding capability required to protect against API threats like CVE-2020-13942 Apache Unomi RCE

New critical Apache Unomi exploit was released yesterday. As an official press release says: "Apache Unomi is the industrys first reference implementation of the upcoming OASIS CDP specification established by the OASIS CXS Technical Committee, which sets standards as a core technology for enabli...

Libdetection: Introducing New Generation of Attacks Detection

In the latest version of Wallarm Node, we integrated a new attack detection engine that will work with a combination of current detects. Libdetection is a unique open-source project https://github.com/wallarm/libdetection, that provides a signature-free payloads detection by implementing a syntax...

Cloudflare fixed an HTTP/2 smuggling vulnerability

On July 14th, Emil Lerner found and explored new ways of HTTP desync/smuggling exploitation based on HTTP/2 request processing issues. He submitted the bug to the Cloudflare security team through their bug bounty program. This security issue took Cloudflare a week to fix and was completed on July...

CVE-2020-24807: Preventing critical Socket.IO vulnerability

This year is full of extraordinary events and cybersecurity domains are not an exception. Massive WebSocket vulnerabilities are not so often discovered, we can say they are piece. But here is a new one, named CVE-2020-24807 was mentioned in a Socket.io advisory 6 days ago:...

Wallarm launches Cloud WAF with the best-in-class API protection

An easy to use Cloud WAF and API protection package We are thrilled to announce the launch of the new Wallarm Cloud WAF deployment for Wallarm Cloud-Native Security Platform. Get your application protection up and running in 15 minutes, without any installation at all. You can now gain protection...

Meet JWT heartbreaker, a Burp extension that finds thousands weak secrets automatically

In the recent post https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code/, we presented a wallarm/jwt-secrets GitHub repository with a 340 JSON Web Token secrets available publicly. Using this data, its possible to check if you or your developers forgot to change default...

Meet JWT heartbreaker, a Burp extension that finds thousands weak secrets automatically

In the recent post https://wlrm210771357.wpcomstaging.com/340-weak-jwt-secrets-you-should-check-in-your-code/, we presented a wallarm/jwt-secrets GitHub repository with a 340 JSON Web Token secrets available publicly. Using this data, its possible to check if you or your developers forgot to chan...

Exploiting Oracle WebLogic by Remote Code Execution with a /console endpoint restricted

This article explains how to exploit Oracle WebLogic for remote code execution by using valid credentials. Its useful during black-box security audits, pentests, and infrastructure audits, including automated vulnerability scanning. To set up an example playground, we will use the following docke...

Exploiting Oracle WebLogic by Remote Code Execution with a /console endpoint restricted

This article explains how to exploit Oracle WebLogic for remote code execution by using valid credentials. Its useful during black-box security audits, pentests, and infrastructure audits, including automated vulnerability scanning. To set up an example playground, we will use the following docke...

Fetching Full-Text Alert Data with the Wallarm API

A lot of information about detected malicious requests is already available in the Wallarm console UI. However, the search functionality of the Wallarm UI does not provide full visibility into every type of potential attack or full details of a particular alert. If this level of visibility is...

Fetching Full-Text Alert Data with the Wallarm API

A lot of information about detected malicious requests is already available in the Wallarm console UI. However, the search functionality of the Wallarm UI does not provide full visibility into every type of potential attack or full details of a particular alert. If this level of visibility is...

340 weak JWT secrets you should check in your code

JSON Web Token JWT is the data format with bill-in signature and encryption mechanisms that are often used by modern web applications to store user sessions and application context, including authentication by SSO and meta-data. Usually, you can find JWT tokens in an Authentication Bearer HTTP...

340 weak JWT secrets you should check in your code

JSON Web Token JWT is the data format with bill-in signature and encryption mechanisms that are often used by modern web applications to store user sessions and application context, including authentication by SSO and meta-data. Usually, you can find JWT tokens in an Authentication Bearer HTTP...

Exporting Nginx Access Logs to an ELK Cluster

The Wallarm WAF provides an organization with the ability to protect their applications and APIs against a wide range of attacks. However, an organization may wish to achieve a greater degree of visibility into attack traffic and alerts than is possible via the Wallarm user interface. The Wallarm...

Exporting Nginx Access Logs to an ELK Cluster

The Wallarm WAF provides an organization with the ability to protect their applications and APIs against a wide range of attacks. However, an organization may wish to achieve a greater degree of visibility into attack traffic and alerts than is possible via the Wallarm user interface. The Wallarm...

10 minutes to secure your Kubernetes application without giving up on customization: Wallarm WAF as a sidecar container with plain Kubernetes manifests

In this series’ previous article, we added the AI-powered Wallarm WAF to our Helm chart bundled application as a sidecar container. As you can see, 10 minutes is the time we need to stop worrying about rules, lists, and attacks, and start focusing on performance, optimization, and deployment. As...

10 minutes to secure your Kubernetes application without giving up on customization: Wallarm WAF as a sidecar container with plain Kubernetes manifests

In this series’ previous article, we added the AI-powered Wallarm WAF to our Helm chart bundled application as a sidecar container. As you can see, 10 minutes is the time we need to stop worrying about rules, lists, and attacks, and start focusing on performance, optimization, and deployment. As...

How to easily protect any Kubernetes application?

The king of container orchestration needs the best security companion: Wallarm WAF. When it comes to speed, portability, and the advantages of microservices architecture, no other product can compete with Kubernetes as a container orchestrator. Nevertheless, even the best solutions have challenge...

Protect your Helm chart bundled application with Wallarm WAF. 10-minutes configuration for continuous and enhanced security

Every application has its own specific goals, critical aspects, and needs. So, the logical conclusion would be that every app needs an in-depth manual configuration, right? Well, here at Wallarm, we’re security experts and developers from the real world, and we know that in many cases time,...

Protect your Helm chart bundled application with Wallarm WAF. 10-minutes configuration for continuous and enhanced security

Every application has its own specific goals, critical aspects, and needs. So, the logical conclusion would be that every app needs an in-depth manual configuration, right? Well, here at Wallarm, we’re security experts and developers from the real world, and we know that in many cases time,...

How to easily protect any Kubernetes application?

The king of container orchestration needs the best security companion: Wallarm WAF. When it comes to speed, portability, and the advantages of microservices architecture, no other product can compete with Kubernetes as a container orchestrator. Nevertheless, even the best solutions have challenge...

How to easily protect any Kubernetes application?

The king of container orchestration needs the best security companion: Wallarm WAF. When it comes to speed, portability, and the advantages of microservices architecture, no other product can compete with Kubernetes as a container orchestrator. Nevertheless, even the best solutions have challenge...

Building Security into Cloud Native Apps with NGINX

Industries from hospitality to taxis/transportation and food delivery are being disrupted by new age companies like Airbnb, Uber and DoorDash that have a cloud-based software infrastructure as one of their main enablers. Why do all these new companies use cloud and what advantage does it give the...

Building Security into Cloud Native Apps with NGINX

Industries from hospitality to taxis/transportation and food delivery are being disrupted by new age companies like Airbnb, Uber and DoorDash that have a cloud-based software infrastructure as one of their main enablers. Why do all these new companies use cloud and what advantage does it give the...

How To Protect Your Kubernetes Cluster with Wallarm – Running in Production Mode – part 3 of 3

The previous two blog articles in this series describe how to set up Wallarm Ingress controller and configure it so that it can properly allow or block traffic from trusted or suspicious/malicious IP addresses. This is essential to the functionality of Wallarm’s Ingress controller but it isn’t...

How To Protect Your Kubernetes Cluster with Wallarm – Running in Production Mode – part 3 of 3

The previous two blog articles in this series describe how to set up Wallarm Ingress controller and configure it so that it can properly allow or block traffic from trusted or suspicious/malicious IP addresses. This is essential to the functionality of Wallarm’s Ingress controller but it isn’t...

How To Protect Your Kubernetes Cluster with Wallarm – Configuration and Finetuning – part 2 of 3

Wallarm’s Kubernetes Ingress controller is designed to help protect your Kubernetes cluster against cyberattacks. Its built-in web application firewall WAF is capable of detecting and blocking a wide range of common attacks against Kubernetes deployments. The previous article in this series...

How To Protect Your Kubernetes Cluster with Wallarm – part 1 of 3

Kubernetes clusters enable an organization to easily take advantage of containerization. While this is a huge asset, it also creates security issues. Many organizations lack visibility into the applications within their Kubernetes cluster and their attack surface. Within a Kubernetes cluster, an...

SOC 2 Compliance During Covid-19 Times

A lot of IT Security Officers responsible for driving the SOC 2 certification in their companies are probably wondering how the switch to mostly remote workspaces will affect their SOC 2 landscape. I would say that there are two types of companies affected or not affected by the coronavirus:...

The Evolution of Cyber Defense

To my knowledge, the first reference to the idea and principles of signatures for detecting network attacks dates back to 1987. This was a scientific paper by Dorothy E. Denning from Stanford Research Institute SRI Heres the link to the paper. According to the publication’s records, it was sent t...

Security Challenges in FinTech – Discussion with Vandana Verma, OWASP

In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge bas...

Yii2 Gii Remote Code Execution

This article is written specifically for web developers who use a module. We will tell you how we got access to sensitive data on a staging server through Yii2 Gii Remote Code: First to the testing environment, and then to the production. Spoiler: We have notified the module developer about the...

Why You Need to Use Rules in Your Yii2 Framework Models

In the previous article, we described the vulnerability discovered in the Yii2 Framework 2.0.35. In this piece, you'll find out how to prevent it. It's a highly recommended read, especially for web developers who want to quickly check the rule settings and fix a detected vulnerability. Yii is an...

Securing GraphQL API

Introduction to GraphQL Representational state transfer REST APIs are the most popular type of API. However, GraphQL is rapidly growing in popularity as a competitor to REST. GraphQL is a meta-layer with built-in query language to access object-oriented data. It’s based on JSON-encoded HTTP...

Testing ModSecurity for false positives by books texts

The main things that prevent enabling security solutions like WAF/RASP/IDS/IPS in a blocking mode are false positives. Probably the second one is their inline performance and additional latency, but still. As a cloud-native WAF vendor, we at Wallarm are actively checking our products for false...

Apache Solr 1,2,3,4 Kill-Chain.

One of the services Wallarm offers today are Pentest Audits. Our team has met a new challenging task at a recent project: penetration test & usage for Apache Solr V4.10.4. We want to use this blog to describe the way we have identified vulnerability & managed to execute commands with root...

Isometric Illustrations in Figma

Figma is a powerful tool for interface development and prototyping. We use it to design our products and to create graphic layouts for marketing and other purposes. One of the most significant advantages of Figma is that it allows you to write custom plugins enabling third-party developers to...

Protecting gRPC applications and APIs

Wallarm has always stood out from its competitors when it comes to supporting modern stacks. For a long time Wallarm has been the only product to provide comprehensive protection for WebSockets-based web applications. Once again, Wallarm is glad to be the pioneer and add support for the gRPC...

Application security through the lens of Cyberwar – One on One with Chris Kubecka

Last month, Wallarm Cybersecurity Strategist Kavya Pearlman interviewed cyberwar fare expert Chris Kubecka via a webinar session that was well attended and very timely discussion. If you missed the webinar, worry not! Here is a quick recap of the discussion around “Application Security in the age...

OWASP API Top 10 Projects: Highlights and Overview

In addition to the same risks that web applications are exposed to, APIs are faced with a number of unique security risks and vulnerabilities. This blogs provides an overview of the new OWASP API Top 10 risk project. The post OWASP API Top 10 Projects: Highlights and Overview appeared first on...

When your WAF needs its own WAF

Security products have their own security issues, which can affect products that they were designed to secure. It's not a recursive loop, but the reality. WAFs there are not an exclusion. You can remember CloudFlare self-DoS that happened last year...

RSA 2020 – Must Visit

Visit Wallarm at RSA 2020 booth 4118 + see a list of other events going on during the conference for a richer experience The post RSA 2020 - Must Visit appeared first on Wallarm Blog...

Blind SSRF exploitation

There is such a thing as SSRF. There’s lots of information about it, but here is my quick summary. Let's say you go to a website, fill out your profile, and get to the “Upload Profile Picture” step. And you have a choice: upload a file or specify a link. The post Blind SSRF exploitation appeared...

Wallarm team is growing!

Wallarm’s unique approach provides actionable insight that identifies and protects against real attacks and vulnerabilities. I’m excited to be part of the team that automates this for modern services and cloud-based applications. The post Wallarm team is growing! appeared first on Wallarm Blog...