During the discovery phase, the scanner consults multiple open-source intelligence databases to learn as much about the target system as possible. For example, host names registered to the target IP address, web components indexed by search engines, and historical network data. Data that is in scope for the scan is then seeded into the scan configuration.

The core of our Open Source Intelligence (OSINT) service starts with an asset enumeration solution. It involves the utilization of various advanced techniques, including subdomain and top-level domain bruteforcing, DNS zone transfers, reverse DNS sweeping based on specified IP address ranges, search engine scraping, and the consolidation of assets from a wide array of public and private online sources, including VirusTotal, Shodan, HackerTarget and Commoncrawl.

The primary goal of this service is to thoroughly identify and enumerate all related assets associated with a top-level domain or IP address. These assets may include subdomains, IP addresses, and even additional associated top-level domains. Using these enumeration methods we create a detailed map of our client’s external attack surface and provide an idea of the list of possible assets an external malicious threat actor is likely to attempt to target.

This intelligence provides clients with an understanding of their online digital footprint, enabling them to assess potential security risks, conduct further vulnerability scanning, and take proactive steps to enhance their organization’s cybersecurity. In essence, it empowers them with an in-depth view of your online assets.

AppCheck uses multiple dedicated infrastructure scanners to identify vulnerabilities on each accessible network device. The scan begins by port scanning each IP address within the scope to identify accessible services. Each identified service is then probed for vulnerabilities using tens of thousands of checks.

AppCheck combines infrastructure scanning with web application build review check to analyse the flow of data from the scanning node to the target system. Identified systems are checked for known vulnerabilities using a regularly updated vulnerability database that combines well know sources such as the National Vulnerability Database (NVD) with our own internally maintained vulnerability feed.

The AppCheck Web Application scanning engine includes dedicated scanners for a wide range of popular CMS systems and Application Servers and Frameworks. Each scanner is integrated with the Dynamic Security Testing engine so that it can be deployed in the correct way as applicable systems are identified during web crawling and discovery.

Checks for known vulnerabilities, such as those with a CVE identifier, are deployed in the same way and are regularly updated based via AppCheck’s own vulnerability database and several community driven vulnerability feeds (updated daily).
By integrating platform checks within the web application scanning engine, components enumerated during this phase can be passed forward into other scanning layers for further scanning. For example, CMS plugins enumerated during forced browsing checks can then be passed to the DAST scanning engine to discover previously undisclosed vulnerabilities (0day).

For each URL configured with the scan, AppCheck performs online reconnaissance to gather information pertaining to the site that is publicly available in search engines and other online indexing services. Next AppCheck will map out the application using a sophisticated crawling engine. The crawler combines traditional web scraping with a browser-based crawler which implements artificial intelligence to mimic typical application user behaviour.

The “Mapped Attack Surface” enumerated during the initial phases of the scan is then subject to methodical security testing. Typically, the assessment process works by taking each user supplied data component, such as a form field of query string parameter, then modifies it to include a specific test case before submitting it to the server.

AppCheck audits all third-party trust relationships for subdomain takeover and related flaws.
AppCheck Identifies known vulnerabilities within deployed JavaScript libraries.
AppCheck assesses Amazon Simple Storage Service (S3) buckets for misconfigurations. This includes insecure permissions and bucket takeover vulnerabilities.
Some vulnerabilities such as Server-Side Request Forgery (SSRF) can have a greater impact when hosted within a cloud environment.
AppCheck includes several cloud specific checks to detect and safely exploit vulnerabilities in cloud systems.
AppCheck identifies JavaScript malware, Card Skimmers and Crypto Mining software. It will also provide a domain report of third-party software including domain age, geolocation and susceptibility to domain takeover.