AppCheck's request payloads are designed to be safe; however, an AppCheck scan sends a high volume of requests to your application, and may hit endpoints or submit payloads that you do not encounter in day to day operations. In some circumstances (such as unhandled exceptions in application code, or insufficient system resources) these can negatively affect the performance or stability of your application, causing slow responses or downtime for your users.
If this occurs, the first thing you should do is abort your scan. It can take a few minutes for all requests to end, so perform this action as quickly as possible.
The next steps depend on exactly what went wrong, but you should always start by reading the guide Minimising Risk of Web Application Scanning.
If you have a test environment available then you can all but eliminate the risk of disruption of your production environment by focusing your in-depth scan on the test environment, and running a light-weight scan of your production environment (consult the guide for instructions).
AppCheck does not keep a record of every request sent to the target application(s) during a scan; therefore it is not possible to look at an AppCheck scan and know exactly what requests were being sent at the time the problem occurred. Ascertaining the cause of a problem requires consulting application logs and monitoring on the target-side, exactly as you would investigate an incident that occurred when a scan was not running.
If your application slowed down to an unacceptable level
This likely indicates that the application (or backend services that it talks to) cannot handle the load from the scan.
Consider increasing the resources allocated to the environment being scanned, or reducing the scan intensity (see the guide for instructions).
If your application crashed completely or started showing unexpected error messages to users
This may simply be an extreme case of the load issue described above, in which case the solutions will be the same.
However, it could also be the case that a particular request sent by AppCheck to your application is causing your application to fail. For example, this could be AppCheck submitting a record creation request thousands of times causing space to fill up (or lookups to slow down), or your application may be unable to handle certain payloads and crashes instead of rejecting the payloads safely.
You will need to consult your application logs to identify the cause of the failure.
If the cause was a particular request sent by AppCheck, then there are a number of steps to take:
- Your developers should update your application to remove this susceptibility. The ability to bring down your application by sending specific payloads can itself be considered a vulnerability and should be addresses as soon as possible - remember that if AppCheck can send these requests, then so could a malicious attacker (it's even possible the request in question is one a customer might submit in rare circumstances).
- Update the AppCheck scan configuration to exclude the path where the dangerous payload was sent. For example, if the crash was caused by a request sent to https://example.com/admin/update then add that URL to the exclusion list. See Application Scan Targets, Scope, Seeded Targets and Targets to Exclude for more information on using the excluded targets list.
- By excluding a target in this way you lose coverage, and therefore the ability to detect vulnerabilities in that target. It is therefore advisable to update your application to remove the susceptibility as soon as possible, and then reintroduce the target to your scans by removing it from the excluded targets list.
Comments
0 comments
Article is closed for comments.