Articles in this section

See more

Allowing AppCheck Access to Your Network or Applications

Avatar
Sam Illingworth
  • Updated
Follow

Modern firewalls, Intrusion Prevention Systems (IPS), Web Application Firewalls (WAF) and other such systems can be configured to persistently ban, block or rate-limit requests from specific IP addresses, or deny or rate limit all requests except those coming from specific IP addresses (or indeed a combination of both approaches).

Your system may take a default-deny approach, where any IP address not in the allow-list is denied access; or a default-allow list where any IP address not in the deny-list is allowed access.  In a default-allow system, if an IP addresses is flagged as making malicious requests then it will be added to the deny list, either temporarily or permanently.

An allow-list ensures that requests from the specified IP addresses are allowed through in both cases, even if the address is seen to make malicious requests.

It is also possible to have both such system in place - for example you may have a primary allow-list which lists the only IP addresses allowed to make requests, but even addresses on that list may be added to a deny-list and blocked if they are seen to make malicious requests.  In this case you may find you have a second allow-list, which lists IP addresses which should be excused from the deny-list (even if they make malicious looking requests).

An example request might first hit your firewall which takes default-deny approach.  The request is in the firewall's allow-list and so is allowed through.  Next the request is evaluated by your WAF and found to be malicious, and is therefore blocked.  The WAF also adds the source IP address to its deny-list for 1 hour, meaning all further requests from that address are blocked by the WAF for one hour, even though they are in the firewall's allow-list.  To ensure the requests are allowed through, the address must be in the firewall's allow list and the WAF's allow-list.

CDNs and DDOS mitigation tools like Cloudflare often do something similar and have their own allow-lists.

Why Should AppCheck Be In The Allow-List?

AppCheck needs access to your application and infrastructure to scan them.  To detect and confirm the presence of vulnerabilities AppCheck intentionally submits malicious looking requests that work just like an actual attack, simply with a harmless effect.  Consequently an IPS/WAF that sees AppCheck's requests will block them if not instructed otherwise.  If AppCheck's requests are blocked it cannot detect vulnerabilities.

AppCheck also sends a huge number of requests during a scan, well into the tens or hundreds of thousands, so if your system rate limits our requests then the time taken by the scan may go from hours to weeks.

Doesn't Adding AppCheck To An Allow-List Make it an Unfair Test?

AppCheck aims to detect as many security flaws as possible, safely and accurately. The aim of a vulnerability scan is not to "test" the scanner's ability to model a malicious attack, or to bypass mitigation systems like IPS and WAFs, but rather to detect as many vulnerabilities in the underlying application as possible, in order that they may be fixed before being exploited

AppCheck makes no attempt to conceal itself or to fool your IPS/WAF - it makes a large number of malicious looking attacks in a short period of time.  Any IPS/WAF should easily detect (and block) this behavior.  An actual attacker however would likely make a far smaller number of highly targeted requests, which is much harder to detect, and they may well take steps to fool or bypass your IPS/WAF.  If they succeed they would have access to your application in a way AppCheck did not (if it were not in your allow-list) and would be able to exploit vulnerabilities of which you were unaware.

Can AppCheck be Used to Test the Effectiveness of my Intrusion Prevention System?

AppCheck, like all vulnerability scanners, will trigger IPS rules. There are several approaches that can be adopted to test the IPS as well as the target applications and systems.

A common approach is to run two scans, one with AppCheck in the allow-list enabled and another without.  It is recommended that the IPS system is configured to block known attacks, but not add the source IP address to the deny list (otherwise you would need to manually remove the addresses from the deny-list before running the other scan).  If you see vulnerabilities in the allow-list scan but not in the other, then this suggests the IPS/WAF is offering some protection against exploitation of that vulnerability (but see the previous section for why this is not necessarily adequate protection).

AppCheck's IP Addresses

An up to date list is maintained in the following FAQ: AppCheck's IP Range

Related articles

Comments

0 comments

Please sign in to leave a comment.