Detecting Delayed Execution Vulnerabilities
News / Product / Research / Posted October 08, 2015
AppCheck Sentinel External Monitoring System
AppCheck Sentinel is an external monitoring system designed to detect Out-of-Band events such as DNS Lookups and HTTP requests. Its function in Web Application scanning is to aid the detection of vulnerabilities that cannot be identified through the use of conventional scanning techniques.
Traditional Scanning Techniques
Traditionally, vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS) are identified by submitting crafted input to the application then examining the resulting application behaviour to determine if the vulnerability exists. For example, SQL Injection is commonly identified through a specific string returned in the page, variances in page content or specific page response times triggered by injecting time delay payloads.
Screenshot Example: Triggering a string match response
Screenshot Example: Detecting Content Variance
When the traditional approach fails
There are two common conditions that cause many vulnerability scanning tools to miss a vulnerability:
- Successful detection/exploitation of the flaw requires further user or system interaction, such as being processed through a CRM system.
- Some vulnerability classes provide no direct indication that the attack was successful. The payload triggers but does not affect the front end application.
To address this problem the AppCheck Sentinel system was created. By using Out-of-Band channels such as DNS, HTTP and SMTP, it is possible to detect even the most subtle vulnerabilities that would otherwise be missed through conventional scanning.
Detecting delayed payload execution
By monitoring external Out-of-Band events Sentinel is able to detect payload execution even when the payload is triggered outside of the scan duration (up to 1 year following the scan). In this video we demonstrate the detection of a Blind-XSS vulnerability whereby the payload is submitted to an internet facing web server but triggers on a back office system:
Detecting Blind Payload Execution via DNS
AppCheck submits payloads for several vulnerability classes that are designed to trigger a specific DNS lookup. The Sentinel system then monitors inbound DNS requests to determine that the payload executed successfully. Since DNS will propagate out of a network in almost all cases, this technique is extremely reliable & efficient when compared to the more traditional in-band approach. The animation below illustrates the detection of an XML processing vulnerability:
AppCheck Sentinel Coverage
At the time of writing, the following vulnerability types are detected through Out-of-Band techniques (as well as conventional scanning):
- SQL Injection
- Command / Code Injection
- XXE and XML Injection
- SMTP Buffer Truncation and Header Injection
- Blind Cross-Site-Scripting
- Generic External Service Interaction
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380