Behind the Scenes of DAST — How do Security Scanners Work?

Behind the scenes

Step 0 — Setup

Step 1 — Reconnaissance

  • Web spider. Works best with multi-page applications, Spiders scan HTML files for links, accessing each one in a recursive way.
  • Client-side files analysis. Analyzes the client files (JavaScript, webapps, iOS ipa apps, Android APK apps) to find entry points.
  • Name guessing. Uses dictionaries to look for existing entry points (dirbuster) or just pure brute force [aaaaaaaa-zzzzzzzz style]
  • Spec import. Imports documentation, sitemap, or API specs/contracts (OpenAPI, WADL, etc) to find entry points.

Step 2 — Building the Attack Surface Map:

Inputs Map

App Metadata

Passive Vulnerability Detection

Step 3 — Operation Planning

Payloads Bank

Payload

  • Syntax Breaker. A special character to break the syntax of a query/command/code.
  • Brain. What actions will the payload take? Some actions are subtle like “console.log()” in the case of XSS, while others are extreme like “format c: /fs:ntfs” in the case of shell injection.
  • Suffix. Sometimes we want to protect our payload from additional commands that might be concatenated to it and make sure it runs without disruption.
  • Time-Based. In the case of injections, the brain will call a function that causes a delay of 10 seconds. If the HTTP response is delayed by 10–20 seconds, it’s safe to assume the payload triggered a real vulnerability. If the response was instant, the payload probably didn’t trigger a real vulnerability.
  • Error Based. We can send a payload that will violate the syntax of the framework and cause an error. If the response contains a string that describes a known framework error, it’s safe to assume there’s a vulnerability.
  • Oracle: dbms_lock.sleep(3)
  • MSSQL: WAITFOR DELAY ‘00:00:10’
  • Postgres: pg_sleep(10)

OPLAN

  • If an endpoint is a REST API that returns JSONs, it doesn’t make sense to include reflected XSS payloads.
  • If an app is written in .NET, it doesn’t make sense to include Ruby-specific vulnerabilities.

Step #4 — Attack Execution

  • IP address got blocked
  • Website returns only errors (We might have crashed the server or perhaps got blocked by a WAF?)
  • Website responds too slowly (We might want to send fewer calls per minute to avoid causing Denial of Service

Step #5: Analyze results and generate a report

The Advantages of DAST

  • High risk-accuracy. Because the tool actually exploits the vulnerability it discovers, it’s more likely to display real vulnerabilities that can be exploited. This is as opposed to vulnerabilities that exist in the code but can’t be exploited from the outside.
  • Minimal user interaction. Once the operator sets up a scan, they can just chill and wait for the results.
  • Minimal access. Even if you don’t have access to the code and the development team isn’t excited about helping you, you can still run a successful scan.

The Challenges of DAST

  • Lack of business logic context. DAST tools usually have a superficial understanding of the app, which makes it impossible to detect business logic vulnerabilities, such as authorization and rate-limiting issues.
  • Handle protection mechanisms. Since DAST tools generate HTTP calls from scratch, many of them fail to handle protection mechanisms that require custom code on the client-side, such as CSRF protection, request signature, and proprietary authentication.
  • Old technology. DAST tools were built for traditional web applications, where you could just use a web-spider to discover the app. Unfortunately, in the world of single-page applications and mobile applications, you need a more sophisticated approach.
  • Very noisy. By nature, DAST tools trigger many malicious HTTP requests. It’s very risky to run them on production, and they might also crash your pre-production environments.

--

--

--

I love to learn, build and break things. Head of Security Research @ Traceable.ai; Security Consultant @ Tangent Logic

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Srizbi: Nuked from Orbit

What is BOLA? 3-digit bounty from Topcoder ($$$)

Introduction to Express, IP Addresses and Port Numbers

What Was 2020’s Most Expensive Cybercrime? — CyberHoot

Security in Js coding

TryHackMe: LFI Basics Walkthrough

{UPDATE} 抖音成人视频秘乐91短视频美女直播探探陌陌比心默往附近约炮 Hack Free Resources Generator

dHEDGE Bug Bounty Program

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inon Shkedy

Inon Shkedy

I love to learn, build and break things. Head of Security Research @ Traceable.ai; Security Consultant @ Tangent Logic

More from Medium

Paper (HTB)- Walkthrough/Writeup

IoT Device provisioning and considerations

Detecting and Preventing DLL Hijacking

(Letsdefend.io) Case: SOC169 — Possible IDOR Attack Detected