OUR APPROACH TO VULNERABILITY SCANNING
AppCheck was designed from the ground up to emulate the process of a professional penetration tester to ensure maximum coverage and accuracy
AppCheck takes a first principles approach to application vulnerability detection, and therefore is not bound to any platform or signature database.
Rather than use a database of static signatures, AppCheck approaches each test in the same way a hacker or penetration tester would and applies a testing methodology. The vast majority of application security flaws, such as SQL Injection and Cross-Site Scripting arise from insecure processing of input supplied by the client. AppCheck adopts a first principals approach when testing each input by examining the original expected value and the servers response when the value is modified. By adopting this methodology, AppCheck is able to determine how data may be being processed by the server and can then dynamically evolve each test to identify vulnerabilities. This approach results in more accurate testing and allows AppCheck to identify security flaws that may be masked by security filters and Intrusion Prevention Systems (IPS), but could still be exploited by a real-world attacker.
Crawling and content discovery crawling
The AppCheck crawling engine uses a combination of application modelling techniques and subtle heuristical cues to automatically discover the complete attack surface of any given application in the shortest time possible. The algorithms are designed to model how a penetration tester or attacker would explore the application, utilising visual cues and ruling out equivalent instances of the attack surface if they have already been explored.
All of this means that for each target discovered we know its state at discovery and how to re-create that state to later attack it; and because the scanner is behaving in a more human way, it opens up attack vectors that are inaccessible to less sophisticated crawlers.
How our intelligent crawling works
Choose a layer to explore
Using multiple Open-Source Intelligence (OSINT) to gather information that can be seeded into the assessment process.
During the discovery phase, the scanner consults multiple open-source intelligence databases to learn as much about the target system as possible. For example, host names registered to the target IP address, web components indexed by search engines, and historical network data. Data that is in scope for the scan is then seeded into the scan configuration.
The core of our Open Source Intelligence (OSINT) service starts with an asset enumeration solution. It involves the utilization of various advanced techniques, including subdomain and top-level domain bruteforcing, DNS zone transfers, reverse DNS sweeping based on specified IP address ranges, search engine scraping, and the consolidation of assets from a wide array of public and private online sources, including VirusTotal, Shodan, HackerTarget and Commoncrawl.
The primary goal of this service is to thoroughly identify and enumerate all related assets associated with a top-level domain or IP address. These assets may include subdomains, IP addresses, and even additional associated top-level domains. Using these enumeration methods we create a detailed map of our client’s external attack surface and provide an idea of the list of possible assets an external malicious threat actor is likely to attempt to target.
This intelligence provides clients with an understanding of their online digital footprint, enabling them to assess potential security risks, conduct further vulnerability scanning, and take proactive steps to enhance their organization’s cybersecurity. In essence, it empowers them with an in-depth view of your online assets.
Open source intelligence gathering
Whilst the AppCheck crawling engine does an excellent job of enumerating the visible attack surface, it can sometimes be the hidden components that are the Achilles’ heel.
Temporary components such as micro-sites and marketing landing pages can become forgotten and unmaintained. These no-longer linked components may hide a critical security flaw and therefore it is important we test every component an attacker may target. AppCheck queries search engines such as Google and other online indexing services to gather a list of URLS both past and present to factor into the attack discovery phase.
Our approach to testing
Web Application scans can be started in just a few seconds by entering a list of URLs into the AppCheck user interface and either selecting one of our extensive pre-configured profiles or by building your own scan configuration. Once started, AppCheck combines open source intelligence gathering and a sophisticated browser based crawling engine to identify application components that could be vulnerable to attack.