Detecting Delayed Execution Vulnerabilities

AppCheck Sentinel External Monitoring System

 

Blind XSS Video Demo

AppCheck Sentinel is an external monitoring system designed to detect Out-of-Band events such as DNS Lookups and HTTP requests. Its’ function in Web Application scanning is to aid the detection of vulnerabilities that cannot be identified through the use of conventional scanning techniques.

 

Traditional Scanning Techniques

 

Traditionally, vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS) are identified by submitting crafted input to the application then examining the resulting application behaviour to determine if the vulnerability exists. For example, SQL Injection is commonly identified through a specific string returned in the page, variances in page content or specific page response times triggered by injecting time delay payloads.

 

Screenshot Example: Triggering a string match response

Error_SQL

Screenshot Example: Detecting Content Variance

Content_Variance_SQL

When the traditional approach fails

 

There are two common conditions that cause many vulnerability scanning tools to miss a vulnerability:

  • Successful detection/exploitation of the flaw requires further user or system interaction, such as being processed through a CRM system.
  • Some vulnerability classes provide no direct indication that the attack was successful. The payload triggers but does not affect the front end application.

To address this problem the AppCheck Sentinel system was created. By using Out-of-Band channels such as DNS, HTTP and SMTP, it is possible to detect even the most subtle vulnerabilities that would otherwise be missed through conventional scanning.

 

Detecting delayed payload execution

 

By monitoring external Out-of-Band events Sentinel is able to detect payload execution even when the payload is triggered outside of the scan duration (up to 1 year following the scan). In this video we demonstrate the detection of a Blind-XSS vulnerability whereby the payload is submitted to an internet facing web server but triggers on a back office system:

Detecting Blind Payload Execution via DNS

 

AppCheck submits payloads for several vulnerability classes that are designed to trigger a specific DNS lookup. The Sentinel system then monitors inbound DNS requests to determine that the payload executed successfully. Since DNS will propagate out of a network in almost all cases, this technique is extremely reliable & efficient when compared to the more traditional in-band approach. The animation below illustrates the detection of an XML processing vulnerability:

SentinelXXE

AppCheck Sentinel Coverage

 

At the time of writing, the following vulnerability types are detected through Out-of-Band techniques (as well as conventional scanning):

  • SQL Injection
  • Command / Code Injection
  • XXE and XML Injection
  • SMTP Buffer Truncation and Header Injection
  • Blind Cross-Site-Scripting
  • Generic External Service Interaction

 

Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial