Vulnerability Management

Purpose

A source code analyzing tool or an online web application scanner can check your web application for possible vulnerabilities such as Cross-Site-Scripting (XSS) and SQL Injection. However, it then takes some time to implement a fix and to test the fixed web application before you put it back online.

Vulnerability Management helps you to bridge this gap. It automatically reads the report of the analyzing tool and creates a set of blacklist rules based on the vulnerable entry points and variables listed in the report. This provides instant protection for a vulnerable web application.

ATTENTION
Vulnerability Management wasn’t designed to guarantee long-time protection of vulnerable applications. If analysis revealed attack vectors, fix these problems as soon as possible. Use Vulnerability Management only for interim protection.

Currently, the following application scanners are supported:

Opening

To access Vulnerability Management:

  1. In the navigation area, select the application for which you want to create or manage rules based on an external report.
  2. Activate the External Services | Vulnerability Management | Vulnerability Overview tab.
    When you access Vulnerability Management for the first time, the Vulnerability Overview is still empty because you’ve not yet imported any reports.

Importing reports

You can import reports from either online web application scanners or offline web application scanners:

  • If your web application scanner provides you with a report file, you need to upload this file to vWAF.
  • If your web application scanner provides you with a username and password to download report files, you can either download these files manually and then upload them to vWAF, or you can download them directly to vWAF.

Downloads and uploads must always be triggered manually. They aren’t repeated automatically at regular intervals.

Both uploads and downloads are carried out on the Import tab.

Uploading a report

To upload a report file to vWAF:

  1. Click Browse and select the report file.
  2. The vulnerability report contains the full paths to individual files. In order to create generic rules for your web application, vWAF must remove those parts of the paths that won’t be part of a request. Therefore, you must specify your Document root path. Example: On a web server, a web application is stored under the path /company/application1/. The URL to access this web application is “www.myapplication1.com”. So you must specify /company/application1/ as your document root. If, for example, your vulnerability report lists a file /company/application1/forms/form1.html, this is then stripped to /forms/form1.html.
  3. By default, the option Use baselines for vulnerabilities without mitigations is enabled.

    This means that if a report doesn’t contain any specific mitigation rule to resolve the problem, vWAF uses the same rules that Baseline Protection uses for resolving threats of the same category. Usually we recommend to not disable this option.

    When the option Use baselines for vulnerabilities without mitigations is enabled, vWAF needs to have access to a current baseline rules file (see Baseline Protection and Configuring and Updating Baseline Protection).

  4. Click import now.

Downloading a report

To download a report from your web application scanning service provider directly to vWAF.

  1. Enter the user credentials that you’ve been given by your service provider into the fields Username and Password.
  2. If you use the same service for several web applications, also enter the SiteID that you’ve been given for the web application that you’re currently editing.
  3. By default, the option Use baselines for vulnerabilities without mitigations is enabled. This means that if a report doesn’t contain any specific mitigation rule to resolve the problem, vWAF uses the same rules that Baseline Protection uses for resolving threats of the same category. Usually we recommend to not disable this option.
    NOTE
    When the option Use baselines for vulnerabilities without mitigations is enabled, vWAF needs to have access to a current baseline rules file (see Baseline Protection and Configuring and Updating Baseline Protection).
  4. Click Import now.

When you now return to the Vulnerability Overview tab, you see a listing of all vulnerabilities that were identified by the imported reports.

Important: You must click the Commit button on the bottom of the Vulnerability Overview page in order for the listed mitigation rules to become effective.

Vulnerability Overview

After you’ve imported a report, the Vulnerability Overview tab lists all vulnerabilities that have been identified by the report.

A green traffic light symbol in the Location column indicates that the location of the vulnerability could be clearly identified. If the traffic light symbol in the Location column is red, you need to edit the location manually. To do so, click the corresponding Edit icon in the Action column.

The traffic light symbols in the Mitigation column indicate whether or not your web application is currently protected against attacks that exploit the vulnerability:

  • red: Mitigation is disabled.
  • yellow (flashing): Mitigation is enabled, but there are no mitigation rules. Edit the vulnerability or disable mitigation by clicking the red traffic light symbol.
  • green: Mitigation is enabled and running.

You can click the traffic light symbols to toggle the status.

If you don’t want to take care of a detected vulnerability — for example, because you’re absolutely sure that it is a false positive — you can click the Delete icon in the Action column to remove the vulnerability from the list.

ATTENTION
If you remove a vulnerability from the list, this also turns off and deletes all mitigation rules that are active to protect your web application from attacks that exploit this vulnerability.

ATTENTION
You must click the Commit button on the bottom of the Vulnerability Overview page in order for the listed mitigation rules to become effective.

Editing a vulnerability

If necessary, you can specify the location of a detected vulnerability more closely, and you can edit which mitigation rules vWAF uses to protect your web application from attacks that exploit the vulnerability.

  1. If you haven’t done so already: In the navigation area, select the application for which you want to manage the external services rules.
  2. Activate the External Services | Vulnerability Management | Vulnerability Overview tab.
  3. In the Action column, click the edit icon for the vulnerability that you want to edit. The “edit” view opens.

  4. The entries Category and Description are supplied automatically by the imported report. They inform you about the kind of attack that’s possible via the identified vulnerability. Optionally, you can enter an additional comment into the Remark field.
  5. Location identifies where the vulnerability has been found. Usually, the fields are already filled in on the basis of the data supplied by the imported report.
  6. Mitigation Rules lists the rules that have been chosen to prevent attacks that exploit the identified vulnerability. A green traffic light symbol in the Action column indicates that the rule is active. A red traffic light symbol indicates that the rule has been suspended. You can click a traffic light symbol to toggle the status. To add an additional rule manually, select an entry from the drop-down list, and then click Add. You can’t suspend manually added rules, so no traffic light symbols appear in the Action column for these rules. Instead, a Delete icon appears, which you can use to remove the rule permanently.
  7. Select the Mitigation Action that you want to apply. You can deny the request with an error code, you can remove the identified pattern from the request and then forward it to the web application, or you can replace the identified pattern with a given string.
  8. Click Set to confirm your settings and to return to the Vulnerability Overview page.

You must click the Commit button on the bottom of the Vulnerability Overview page in order for the listed mitigation rules to become effective.