Skip navigation

Qualys Blogs

1,088 Posts 1 2 3 Previous Next
0

This update to QualysGuard 8.0 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).

 

What’s New

VM - “Security Risk Score” summary added to XML and CSV reports

VM & PC - "Network Support API” Updates

 

QualysGuard API Server URL. The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.

 

Account  Location

API  Server URL for login
QualysGuard  US Platform https://qualysapi.qualys.com

QualysGuard  US Platform 2

https://qualysapi.qg2.apps.qualys.com

QualysGuard  EU Platformhttps://qualysapi.qualys.eu
QualysGuard  @Customerhttps://qualysapi.<customer_base_url>

 

QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.

 

VM - “Security Risk Score” summary added to  XML and CSV reports

With this release vulnerability scan reports include a security risk score summary for the report and per host, in all report formats - earlier this was not in XML or  CSV. As before the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The asset_data_report.dtd was updated - we’ll show you the changes.

 

Tell me about the Security Risk Score. The score for the overall report is the average security risk for all hosts in the report. The score for each host is the average severity level detected (the default) or the highest severity level detected. Managers can configure the calculation method for the subscription by going to Reports > Setup > Security Risk. Are you an Express Lite user? If yes the average severity level is always used.

 

Sample reports. These reports were created using a scan report template configured with host based findings and Text Summary is selected (under Display > Detailed Results).

 

CSV report:

New rows show you the security risk score summary for the report and per host.

8.0Image.png

 

XML report:

New XML elements show you the security risk summary for the report (see  <RISK_SCORE_SUMMARY>)  and per host <see RISK_SCORE_PER_HOST>.

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ASSET_DATA_REPORT SYSTEM https://qualysguard.qualys.com/asset_data_report.dtd>
<ASSET_DATA_REPORT>
  <HEADER>
    <COMPANY><![CDATA[Qualys, Inc.]]></COMPANY>
    <USERNAME>USERNAME</USERNAME>
    <GENERATION_DATETIME>2014-03-11T23:56:22Z</GENERATION_DATETIME>
    ...
    <RISK_SCORE_SUMMARY>
      <TOTAL_VULNERABILITIES>14</TOTAL_VULNERABILITIES>
      <AVG_SECURITY_RISK>2.6</AVG_SECURITY_RISK>
      <BUSINESS_RISK>13/100</BUSINESS_RISK>
    </RISK_SCORE_SUMMARY>
  </HEADER>
<RISK_SCORE_PER_HOST>
  <HOSTS>
    <IP_ADDRESS>10.10.24.104</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>4</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.5</SECURITY_RISK>
  </HOSTS>
  <HOSTS>
    <IP_ADDRESS>10.10.24.106</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>10</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.6</SECURITY_RISK>
  </HOSTS>
</RISK_SCORE_PER_HOST>
  <HOST_LIST>
    <HOST>
      <IP>10.10.24.104</IP>
      <TRACKING_METHOD>IP</TRACKING_METHOD>
...

 

DTD updates:

You’ll see the updated asset_data_report.dtd below. There’s  new elements RISK_SCORE_PER_HOST and RISK_SCORE_SUMMARY.

<!-- QUALYS ASSET DATA REPORT DTD -->

<!ELEMENT ASSET_DATA_REPORT (ERROR | (HEADER, RISK_SCORE_PER_HOST?, HOST_LIST?, GLOSSARY?, APPENDICES?))>


<!ELEMENT ERROR (#PCDATA)*>
<!ATTLIST ERROR number CDATA #IMPLIED>




<!-- HEADER -->


<!ELEMENT HEADER (COMPANY, USERNAME, GENERATION_DATETIME, TEMPLATE,
                  TARGET, RISK_SCORE_SUMMARY?)>


<!ELEMENT COMPANY (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT GENERATION_DATETIME (#PCDATA)>
<!ELEMENT TEMPLATE (#PCDATA)>
<!ELEMENT TARGET (USER_ASSET_GROUPS?, USER_IP_LIST?, COMBINED_IP_LIST?, 
                  ASSET_TAG_LIST?)>


<!ELEMENT USER_ASSET_GROUPS (ASSET_GROUP_TITLE+)>
<!ELEMENT ASSET_GROUP_TITLE (#PCDATA)>


<!ELEMENT USER_IP_LIST (RANGE*)>
<!ELEMENT RANGE (START, END)>
<!ELEMENT START (#PCDATA)>
<!ELEMENT END (#PCDATA)>


<!ELEMENT COMBINED_IP_LIST (RANGE*)>


<!ELEMENT ASSET_TAG_LIST (INCLUDED_TAGS, EXCLUDED_TAGS?)>


<!ELEMENT INCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST INCLUDED_TAGS scope CDATA #IMPLIED>


<!ELEMENT EXCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST EXCLUDED_TAGS scope CDATA #IMPLIED>


<!-- AVERAGE RISK_SCORE_SUMMARY -->
<!ELEMENT RISK_SCORE_SUMMARY (TOTAL_VULNERABILITIES, AVG_SECURITY_RISK,
                              BUSINESS_RISK)>
<!ELEMENT TOTAL_VULNERABILITIES (#PCDATA)>
<!ELEMENT AVG_SECURITY_RISK (#PCDATA)>
<!ELEMENT BUSINESS_RISK (#PCDATA)>


<!-- RISK_SCORE_PER_HOST -->
<!ELEMENT RISK_SCORE_PER_HOST (HOSTS+)>
<!ELEMENT HOSTS (IP_ADDRESS, TOTAL_VULNERABILITIES, SECURITY_RISK)>
<!ELEMENT IP_ADDRESS (#PCDATA)>
<!ELEMENT SECURITY_RISK (#PCDATA)>


<!-- HOST_LIST -->


<!ELEMENT HOST_LIST (HOST+)>
...

 

VM & PC - Network Support API Updates

 

We made some updates to the Network Support API for QualysGuard 8.0. You’ll find the latest information integrated into this user guide. You might like to review the latest changes below.

 

Set Up Networks

 

Scanner Appliance List API v2 - filter by network ID

The Scanner Appliance List API v2 (resource /api/2.0/fo/appliance/ with action=list) returns scanner appliances in your account. Now you can use the new input parameter “network_id” (optional) to return a list of scanner appliances for a certain network. Specify 0 for the Global Default Network or a custom network ID.

 

For example:

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl"

"https://qualysapi.qualys.com/api/2.0/fo/appliance/?action=list&network_id=1002"

 

Organize Assets by Network

 

Asset Group List API v1 - network ID added to group’s IPs

The Asset Group List API v1 (/msp/asset_group_list.php) is used to retrieve a list of asset groups in your account. We added a new attribute “network_id” to the subelement /SCANIPS/IP in the XML output (asset_group_list.dtd). This appears for an All asset group that is not the same as the subscription’s All asset group.

 

Have multiple All asset groups? Yes you might. There is always 1 All asset group for the subscription - this includes all assets, visible to Managers. If you have business units, there is 1 unique All asset group for each business unit. If you have Scanners and/or Readers, there is 1 unique All asset group for each Scanner/Reader account. (There is no All asset group for a network.)

 

Sample XML output:

Sample XML output showing an All asset group that is not the subscription’s All asset group:

...
<ASSET_GROUP>
  <ID>5010</ID>
  <TITLE><![CDATA[All]]></TITLE>
  <SCANIPS>
    <IP network_id="0"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="0"> 10.10.10.13-10.10.10.247</IP>
    <IP network_id="1193"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="1193"> 10.10.10.13-10.10.10.247</IP>
...

 

DTD update:

New “network_id” attribute added to the subelement /IP.

...
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP network_id CDATA 0>
...

 

Asset Management

Support for IP List API v2

The IP List API v2 (resource /api/2.0/fo/asset/ip/ with action=list) is used to retrieve a list of IP addresses in your account. The XML output now lists the network ID for each IP address/range when the request is made by a sub-user with access to multiple networks. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Good to know:

 

  • Managers will not see the “network_id” attribute for any IP or IP_RANGE elements in the output since Managers can see all IPs for all networks.
  • Any sub-user with access to only a single network (the Global Default Network or a custom network) will not see the “network_id” attribute either. This is for consistency with the UI, where these users do not see the network workflows.

 

Sample XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-02-14T22:47:32Z</DATETIME>
    <IP_SET>
      <IP_RANGE network_id="0">1.0.0.0-10.10.10.14</IP_RANGE>
      <IP_RANGE network_id="0">10.10.10.17-10.10.10.29</IP_RANGE>
      <IP network_id="0">10.10.10.32</IP>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP List API v2

The Excluded IP List API v2 (/api/2.0/fo/asset/excluded_ip/ with action=list) returns a list of excluded hosts.

 

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

 

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Sample XML output:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/excluded_ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-20T20:49:19Z</DATETIME>
    <IP_SET>
      <IP network_id="0">10.10.10.19</IP>
      <IP_RANGE network_id="1275">10.10.50.6-10.10.50.10</IP_RANGE>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP Change History API v2

The excluded IP change history V2 API (/api/2.0/fo/asset/excluded_ip/history/ with action=list) returns a change history for excluded hosts.

 

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

 

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (history_list_output.dtd).

 

Sample XML output:

...
 <HISTORY_LIST>
      <HISTORY>
        <ID>1441</ID>
        <IP_SET>
          <IP_RANGE network_id="0">10.10.10.234-10.10.10.235</IP_RANGE>
        </IP_SET>
        <ACTION>Added</ACTION>
...

 

DTD updates:

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
    network_id  CDATA  0
>           
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
    network_id  CDATA  0
>
...
0

Mixed content issues arise when web sites deliver their pages over HTTPS, but allow some of the resources to be delivered in plaintext. The active network attacker can't do anything about the encrypted traffic, but messing with the plaintext can result with attacks ranging from phishing in the best case to full browser compromise in the worst. A single exposed script is sufficient: the attacker can hijack the connection and inject arbitrary attack payloads into it.

 

We tend to talk a lot about other aspects of SSL/TLS, but mixed content is arguably the easiest way to completely mess up your web site encryption.

 

In the very early days of the Web, all mixed content was allowed; web browsers expected site operators to think through the consequences of mixing content. That, of course, did not result with great security. Site operators did whatever they needed to get their work done and decrease costs. Only in recent years did browser vendors start to pay attention and start to restrict mixed content.

Mixed content in modern browsers

Today, almost all major browsers tend to break mixed content into two categories: passive for images, videos, and sound; and activefor more dangerous resources, such as scripts. They tend to allow passive mixed content by default, but reject active content. This is clearly a compromise between breaking the Web and reasonable security.

 

Internet Explorer has been the leader in secure mixed content handling. As early as Internet Explorer 5 (according to this post), they had detection and prevention of insecure content by default. Chrome started blocking by default in 2011, and Firefox in 2013. The default Android browser and Safari, however, still allow all mixed content without any restrictions (and with almost non-existent warnings).

 

Here are the results of my recent testing of what insecure content is allowed by default:

 

BrowserImagesCSSScriptsXHRWebSocketsFrames
Android browser 4.4.xYesYesYesYesYesYes
Chrome 33YesNoNoYesYesNo
Firefox 28YesNoNoNoNoNo
Internet Explorer 11YesNoNoNoNoNo
Safari 7YesYesYesYesYesYes

 

They are mostly as expecting, but there's a surprise with Chrome, which blocks active page content, but still allows plaintext XMLHttpRequest and WebSocket connections.

 

It's worth mentioning that the table does not tell us everything. For example, browsers tend not to control what their plugins do. Further, certain components (e.g., Flash or Java) are full environments in their own right, and there's little browsers can do to enforce security.

Testing for mixed content handling in SSL Labs

To make it easier to evaluate browser handling of this problem, I recently extended the SSL Labs Client Test to probe mixed content handling. When you visit the page, your user browser is tested, and you will get results similar to these:

 

ssl-labs-client-test-mixed-content.png

Mixed content prevalence

Anecdotally, mixed content is very common. At Qualys, we investigated this problem in 2011, along with several other application-level issues that result with full breakage of encryption in web applications. We analysed the homepages of about 250,000 secure web sites from the Alexa  top 1 million list, and determined that 22.41% of them used insecure  content. If images are excluded, the number falls to 18.71%.

 

A more detailed study of 18,526 sites extracted from Alexa top 100,000 took place in 2013: A Dangerous Mix: Large-scale analysis of mixed-content websites (Chen et al.). For each site, up to 200 secure pages were analysed, arriving at a total of 481,656 pages. Their results indicate that up to 43% of web sites have  mixed content issues.

Mitigation

The best defence against mixed content issues is simply not having this type of problem in your code. But that's easily said than done; there are many ways in which mixed content can creep up. When that fails, there are two technologies that can come useful:

 

  • HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (your developers place an insecure link into a secure page). HSTS is one of the best thing that happened to TLS recently, but it works only on the hostnames you control.
  • Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web sites. It also has many other useful features for to address other application security issues, for example XSS.
0

A new release of QualysGuard AM API is scheduled to be released in production on the QualysGuard EU Platform on April 1st, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard AM API update includes the addition of the Asset Management and Tagging API v2. The addition of this API will allow customers to access new Tag API, Host Asset API, Asset API and Host Instance Vulnerability API functionality via one API. For more information on new features see QualysGuard API Notification 

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-eu

0

A new release of QualysGuard AM API is scheduled to be released in production on the QualysGuard US Platform 1 on April 3rd, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard AM API update includes the addition of the Asset Management and Tagging API v2. The addition of this API will allow customers to access new Tag API, Host Asset API, Asset API and Host Instance Vulnerability API functionality via one API. For more information on new features see QualysGuard API Notification 

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us1

0

A new release of QualysGuard API is scheduled to be released in production on the QualysGuard US Platform 2 on March 27th, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: This QualysGuard API release includes the addition of the Asset Management and Tagging API v2. The addition of this API will allow customers to access new Tag API, Host Asset API, Asset API and Host Instance Vulnerability API functionality via one API. For more information on new features see QualysGuard API Notification.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us2

0

This API notification provides an early preview into the coming API changes in QualysGuard, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There is one primary API change in this release:

 

New API: Asset Management and Tagging API v2

 

This release will apply to the following platforms:

 

 

Full release notes will be available to customers on the day of the release.

 

API Enhancements

 

Tag API

          The Tags API provides a suite of API functions for managing tags. The supported Tag operations are get, create, update, search, count, delete and evaluate.

 

          Tag operations

                    Get Tag

                    Create Tag

                    Update Tag

                    Search Tags

                    Count Tags

                    Delete Tag

                    Evaluate Tag

 

 

Example:

          Fetch tag ID 12345.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/tag/12345"

 

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/tag.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Tag>
      <id>12345</id>
      <name>Test Tag</name>
      <created>2014-02-06T19:14:50Z</created>
      <modified>2014-02-06T19:14:50Z</modified>
      <color>#FFFFFF</color>
      <ruleText>asset.installedSoftwares.contains { it.name == Windows }</ruleText>
      <ruleType>GROOVY</ruleType>
      <children>
        <list/>
      </children>
    </Tag>
  </data>
</ServiceResponse>

 

Host Asset API

          The Host Asset API provides a suite of API functions for managing host assets. In many cases these are hosts detected by our cloud scanners. Host assets can also be added manually by the QualysGuard API or user interface. The HostAsset members identify operating system, NetBIOS, tags, open ports, NICs, installed software, EC2 source information and current vulnerabilities (all instances).

 

          Host Asset operations

                    Get Host Asset

                    Create Host Asset

                    Update Host Asset

                    Search Hosts Assets

                    Count Host Assets

                    Delete Host Asset

                    Activate Host Asset

 

Example:

          Fetch the host asset ID 12345 and list host asset details.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/hostasset/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/hostasset.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <HostAsset>
      <id>2020094</id>
      <name>My Windows Asset</name>
      <created>2014-02-06T19:16:35Z</created>
      <modified>2014-02-06T19:16:35Z</modified>
      <type>HOST</type>
      <tags>
        <list>
            <TagSimple>
                <id>12345</id>
                <name>Tag 1</name>
            </TagSimple>
            <TagSimple>
                <id>54321</id>
                <name>Tag 2</name>
            </TagSimple>
        </list>
      </tags>
      <sourceInfo>
        <list/>
      </sourceInfo>
      <os>Windows 7</os>
      <dnsHostName>localhost</dnsHostName>
      <netbiosName>TEST</netbiosName>
      <netbiosNetworkId>10</netbiosNetworkId>
      <networkGuid>66bf43c8-7392-4257-b856-a320fde231eb</networkGuid>
      <address>127.0.0.1</address>
      <trackingMethod>IP</trackingMethod>
      <openPort>
        <list/>
      </openPort>
      <software>
        <list/>
      </software>
      <vuln>
        <list/>
      </vuln>
    </HostAsset>
  </data>
</ServiceResponse>

 

Asset API

          The Asset API is a subset of the Host Asset API. The Asset members identify name, tags, and EC2 source information.

 

          Asset operations

                    Get Asset

                    Update Asset

                    Search Assets

                    Count Assets

                    Delete Asset

                    Activate Asset

 

Example:

          This example fetches the asset ID 12345 and lists asset details.

 

Request:

          curl -n -u “USERNAME:PASSWORD” "https://qualysapi.qualys.com/rest/2.0/get/am/asset/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/asset.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <Asset>
      <id>12345</id>
      <name>My Windows Asset</name>
      <created>2014-02-06T19:16:35Z</created>
      <modified>2014-02-06T19:16:35Z</modified>
      <type>HOST</type>
      <tags>
        <list>
            <TagSimple>
                <id>12345</id>
                <name>Tag 1</name>
            </TagSimple>
            <TagSimple>
                <id>54321</id>
                <name>Tag 2</name>
            </TagSimple>
        </list>
      </tags>
    </Asset>
  </data>
</ServiceResponse>

 

Host Instance Vulnerability API

          The Host Instance Vulnerability API provides a suite of API functions for managing vulnerability instances found on host assets. The supported Host Instance Vulnerability operations are get, count and search.

 

    Host Instance Vulnerability operations

                    Get Host Instance Vulnerability

                    Search Host Instance Vulnerabilities

                    Count Host Instance Vulnerabilities

 

Example:

          Fetch the host instance vulnerability with the ID 12345.

 

Request:

          curl -n -u "USERNAME:PASSWORD" "https://qualysapi.qualys.com/rest/2.0/get/am/hostinstancevuln/12345"

 

Response:

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.com/qps/xsd/2.0/am/hostinstancevuln.xsd">
  <responseCode>SUCCESS</responseCode>
  <count>1</count>
  <data>
    <HostInstanceVuln>
      <id>9534081</id>
      <hostAssetId>1543621</hostAssetId>
      <qid>38167</qid>
      <port>25</port>
      <ssl>true</ssl>
      <found>true</found>
      <ignored>false</ignored>
      <disabled>false</disabled>
      <updated>2012-10-19T21:56:23Z</updated>
      <protocol>TCP</protocol>
      <source>HOST</source>
    </HostInstanceVuln>
  </data>
</ServiceResponse>
0

QualysGuard WAS 3.3 provides enhanced management of web application information and data filtering options along with usability enhancements.

 

Feature highlights include: Bulk editing of web applications, filtering sensitive content detections, enhanced report storage management, and additional scan cancellation options.  Together, these new features save organizations time and enable organizations to run a more effective and efficient web application security program.

 

QualysGuard WAS 3.3 will be released in production in late March/early April 2014 depending on the platform. Details about the release schedule are at the end of this blog post.

 

 

Web Application Management Enhancements

 

Bulk Editing Web Applications:  QualysGuard WAS is the most scalable web application scanning solution available.  So we've enhanced the ability to manage large numbers of web applications by adding the capability to perform bulk edits to web application details, saving users from having to make these changes on a app by app basis.  The new capability takes advantage of QualysGuard's asset tagging to enable users to easily group together applications that may have similar attributes that may need to be updated as a group.  Users can update web application details, scan settings and authentication information.

 

bulk_edit_select.jpg

 

 

bulk_edit_1.jpg

 

Reporting Enhancements

 

Filter sensitive content detections:   Now you can choose to ignore sensitive content in the detection browser and by default in all future reports  just as you can with vulnerabilities.  This provides users with the ability to have fine grained control over what sensitive content findings are listed in reports for all users, leading to higher levels of confidence for reports reviewed by internal teams.  But don't worry, you can easily modify the report filters if you need to include them again in the future.

 

Ignore sensitive content findings in detection browser

detections_list.jpg

 

Ignore sensitive content findings in report details

ignore_sensitive_content.jpg

 

Manage Report Storage Limit:  QualysGuard WAS 3.3 provides users with better visibility and planning for report storage.  Users can now easily identify how much storage they are using, and subscription managers can set user limits.  Managers can see how much report space has been allocated and make more informed decisions on how to allocate the allotted space to user.

 

acct_info_1.jpg

 

 

profile_1.jpg

 

Scan Enhancements

 

Cancel any unfinished scan:   Now you can cancel a scan any time before it’s finished, even when its status is Submitted. In the previous release, the cancel action was available only for Running scans.  This gives users more flexibility in managing scans that are already running.

 

 

 

API Enhancements

 

 

Tip: What's my platform

 

Release Schedule

For details about the release dates for specific platforms and to subscribe to release notifications by email, please see the following:

0

A new release of QualysGuard WAS, Version 3.3 is scheduled to be released in production on the QualysGuard US Platform 1 on April 3rd, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard WAS 3.3 includes enhancements to Web Application Management,  Reporting and APIs that save organizations time and enable them to operate more effective and efficient web applicaton security programs.  For more information on features see QualysGuard WAS 3.3 New Features.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us1

0

A new release of QualysGuard WAS, Version 3.3 is scheduled to be released in production on the QualysGuard EU Platform on April 1st, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard WAS 3.3 includes enhancements to Web Application Management,  Reporting and APIs that save organizations time and enable them to operate more effective and efficient web applicaton security programs.  For more information on new features see QualysGuard WAS 3.3 New Features.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-eu

0

A new release of QualysGuard WAS, Version 3.3 is scheduled to be released in production on the QualysGuard US Platform 2 on March 27th, 2014 between 12 PM PDT (19:00 UTC) and 6:00 PM PDT (01:00 UTC next day).

 

The deployment is completely transparent to users and will require no downtime.

 

Release Details: QualysGuard WAS 3.3 includes enhancements to Web Application Management,  Reporting and APIs that save organizations time and enable them to operate more effective and efficient web applicaton security programs.  For more information on new features see QualysGuard WAS 3.3 New Features.

 

To continue to receive notifications by email, please subscribe at https://community.qualys.com/community/notifications-us2

0

A new release of QualysGuard WAS, Version 3.3, is targeted for release in late March and early April 2014.

 

More information on specific release dates that correspond to the QualysGuard platforms can be found on the platform release blog pages which will be updated no less than 15 days prior to the release of WAS 3.3.

 

 

This API notification provides an early preview into the coming API changes in QualysGuard WAS 3.3, allowing you to proactively identify any changes that might be required for your automated scripts or programs that utilize the API methods described below.  There are 3 primary API changes in this release:

 

  • Web Application Report XML – Ignored Sensitive Content
  • Report Create API – Storage Limit Response
  • Scan Cancel API – Update

 

Full release notes will be available to customers on the day of the release. 

 

API Enhancements

 

Web Application Report XML – Ignored Sensitive Content

The “Ignored” tag appears for a sensitive content detection when the detection has been marked as ignored. 

 

...

<SENSITIVE_CONTENT_LIST>

  <SENSITIVE_CONTENT>

    ...

    <IGNORED>true</IGNORED>

    <IGNORE_INFORMATION>

        <REASON>RISK_ACCEPTED</REASON>

        <DATE>2014-02-21T20:42:48Z</DATE>

        <USER><![CDATA[John Smith (acme_js)]]></USER>

        <COMMENT><![CDATA[Not an issue]]></COMMENT>

    </IGNORE_INFORMATION>

...

 

 

Report Create API – Storage Limit Response

A new error message appears in the response XML if the report storage limit has been reached when you make an API request using the report creation API (https://<baseurl>/3.0/create/was/report).

 

 

...

<ServiceResponse>

  <responseCode>OTHER_ERROR</responseCode>

  <responseErrorDetails>

    <errorMessage>Your [subscription|user] storage limit of 200.0 Mb has been reached.</errorMessage>

    <errorResolution>Delete existing reports and try again.</errorResolution>

  </responseErrorDetails>

</ServiceResponse>

...

 

 

Scan Cancel API – Update

Using the Scan Cancel API (https://<baseurl>/3.0/cancel/was/scan/<id>) now you can cancel any unfinished scan regardless of status.

 

What is the <baseurl>?

 

This is the API server URL where your QualysGuard account islocated. For an account on US Platform 1 this is <qualysapi.qualys.com>,on US Platform 2 this is <qualysapi.qg2.apps.qualys.com>, on EU Platformthis is <qualysapi.qualys.eu>.

0

The CanSecWest security conference in Vancouver in currently under way. In addition to their normal presentation lineup CanSecWest also hosts the PWN2OWN competition organized by ZDI where researcher's bring their exploits and try them against the latest software versions. The competition is both technically challenging and politically loaded - two  years ago research company VUPEN made it into the headlines when they said they would not sell their Chrome exploit to Google for even 1 Million US Dollars.

 

This year the controversy was around Google and ZDI themselves entering the competition, which some of the other competitor thought unfair. All prize money from these exploits where Google exploited Safari and ZDI Internet Explorer was donated to charity - the Red Cross Canada.

 

On Day 1 the other competitors were successful as well:

 

  • VUPEN exploited Adobe Reader XI, Adobe Flash, Mozilla Firefox and Internet Explorer 11 on Win 8.1.
  • Mariusz Mlynski exploited Mozilla Firefox
  • Jüri Aedla exploited Mozilla Firefox

 

On Day 2 further successes:

 

  • Keen Team exploited Safari and Adobe Flash
  • VUPEN exploited Google Chrome
  • George Hotz exploited Firefox
  • Sebastian Apelt and Andreas Schmidt exploited Internet Explorer
  • An anonymous researcher exploited partially Google Chrome

 

Out of the US$ 850,000 VUPEN claimed almost half: US$ 400,000 went to the exploit specialist from France.

 

Some surprises: Overall only one exploit attempt failed (against IE), even though VUPEN withdrew from two targets Safari and Java (another potential US$ 95,000), Java ended up making it through the contest without any exploit attempts and so did the combination Windows 8.1 plus EMET via IE11, codename Exploit Unicorn , which had a prize money of US$ 150,000 assigned to it. One more reason to look at EMET for your workstations.

 

 

0
0

Today Microsoft released the bulletins for March Patch Tuesday. We have five bulletins, MS14-012 to MS14-016, a light patch tuesday by all comparisons, even with Adobe chiming in with an update that is non-critical.  If it wasn't for the Internet Explorer (IE) patch that addresses the 0-day that was found during last month's Patch Tuesday, one could call it almost uneventful.

 

Here is our lineup for today:

 

  • MS14-012, a critical bulletin which addresses 18 vulnerabilities in all versions of IE, from IE6 on Windows XP, to IE11 on Windows 8.1. It also includes the fix for a 0-day vulnerability that was identified by FireEye on February 11, first on the website of the organization of the US Veterans of Foreign Wars. The attack used a previously unknown flaw in IE 10 (CVE-2014-0322), plus a known vulnerability in Adobe Flash to bypass ASLR protections and gave the attackers control over the computers visiting the site with that particular configuration. Microsoft has acknowledged the problem and provided a FixIT in KB2934088, but this is the permanent patch for the problem. Apply it as soon as possible.
  • MS14-013, the second critical bulletin, addresses one critical vulnerability. The attack also uses the webpage vector, but rather than going against IE directly, involves the DirectShow Windows component. Microsoft states that exploitation is hard and gives it an exploitation index of 3, but you should give it priority in your patch cycle.
  • The remaining bulletins, MS14-014, MS14-015 and MS14-016, are all rated important and do not provide Remote Code Execution (RCE) capabilities. MS14-014 is an ASLR bypass vulnerability that needs to be paired with a code execution vulnerability in order to become useful (see also the recent 0-day that used Adobe Flash exactly for that purpose). MS14-015 is a Windows Kernel driver fix addressing two CVEs, and MS14-016 is a change in the Windows API that allowed an attacker to bypass password shutout rules, which could be used in brute force attack attempts. Take a look at Microsoft SRD blog to see where ASLR fixes fit in overall.
  • Adobe's update to Flash (APSB14-08) addresses two vulnerabilities in Adobe Flash V12 and V11 on Windows, Mac OS X and Linux. Both are rated as important, meaning they cannot be used to gain remote code execution on the targeted platforms. Organizations that run Chrome or a modern version of IE will get their Flash update delivered through their browsers, others will need to update their software directly via Adobe.

 

The other major Microsoft issue is the coming end-of-life of Windows XP. We are now less than 28 days away from the final set of patches that XP will receive. Nevertheless, we are not seeing a reduction in vulnerabilities. All of today's bulletins apply to Windows XP and there is really no reason to expect any change in the near future: the majority of vulnerabilities found in the Windows OS and IE will apply also to Windows XP, but IT admins won't have access to patches for these problems anymore. This will make any Windows XP machine an easy target for attackers, and within a few weeks, new tools will be developed that make these exploits widely available.Your best choice is to migrate away from Windows XP to a newer version of the operating system.

 

So far, you have done an incomplete job. In our latest survey of roughly 35 Million monthly scans, we are still seeing 14% of Windows XP machines, down from 16% In January and 17% in December of 2013. If that trend continues, we are projecting 10% by the end-of-life date, at least in the enterprise space that is covered by QualysGuard.

 

 

win_xp_2014.png

Two weeks ago at the RSA US 2014 conference in San Francisco Microsoft released a preview version of their EMET 5 (Enhanced Mitigation Experience Toolkit) security toolkit. EMET implements additional restrictions on Windows, monitoring programs for violations of policy and, optionally, shutting down the offending programs. It has been effective against all 0-day attacks of  2013 and 2014, starting with MS13-008, MS13-021, and MS13-038. In the known exploit against this month's MS14-012, the attacker acknowledges that power and tests for the presence of EMET beforehand, proactively forfeiting when the EMET DLL is detected. I recommend IT admins to take a look at this toolkit and test its compatibility with their installations. The new EMET version 5 introduces a plugin whitelisting capability that could be a great asset in controlling browser plugins, for example only allowing Java to run on a controlled subset where the plugin is actually required.

 

That is it for this month's bulletins, but stay tuned for more coverage about XP in the SMB and home market, plus a breakdown of the numbers that takes geography into account.

0

Microsoft just published the preview for March's Patch Tuesday with five bulletins (two critical and three important) and there are two big priorities:

 

  1. Patch the Internet Explorer vulnerability addressed in Bulletin #1, as it covers the current 0-day that was discovered about three weeks ago. Microsoft has so far addressed it with a Fix-It in KB2934088, but this will be the permanent patch reaching a much larger audience.
  2. Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore. Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of of life date:

 

xp_end_of_support.png

 

So you need a strategy for the XP machines remaining in your infrastructure. We are still seeing a significant number of XP machines in our scans, ranging from around 25% in our consumer oriented service BrowserCheck to under 20% in our entreprise oriented data from QualysGuard.

 

Back to the March bulletins: priority one should be the two critical bulletins: Bulletin #1 for all versions of Internet Explorer, starting with v6 all the way to v11 and bulletin #2 for Windows, affecting all Windows OS versions from XP to 2012, with the exception being WIndows RT. Bulletin #3 and #4 address important vulnerabilities in Windows, and Bulletin #5 will be for users of Silverlight on Mac and Windows.

 

Stay tuned for our coverage next week, when we get more details on the patches.