Web applications are often vulnerable via either URL GET parameters or POST (form) fields. We therefore by default scan forms with thousands of alternative payloads to test if they are vulnerable to weakness such as injection vulnerabilities.
Whenever the AppCheck scanner finds a URL containing a form that we can identify as a contact form then we will submit values to the form, identifying ourselves using the default email address [scanid]@ptst.io.
Some applications respond to form submissions using email, such as by sending an email to [scanid]@ptst.io, or by sending an email to an address within your organisation using [scanid]@ptst.io as the from address.
Note: These emails are not send by AppCheck - AppCheck simply submits forms within your application; it is up to your application how it responds.
- Identifying which page/forms on your site submit emails and adding the submit URL to the Denied Targets in the scan configuration
- Identifying which page/forms on your site submit emails and ensure that these are protected by ReCaptcha or other devices to prevent submissions by bots etc if you wish to prevent both AppCheck and actual malicious users bombarding you with almost unlimited numbers of emails;
- Create a forwarding rule to identify emails to or from [scanid]@ptst.io and route them to a junk/spam folder.
- It is possible to disable either just contact form submission or all form scanning using options in your scan configuration settings. However this is a less favoured approach since it presents AppCheck finding and reporting on vulnerabilities in your scan forms
The two levels at which you can disable scanning of forms in your scan settings can be found under Web Application Scanner Settings and are:
Avoid Contact Forms
This option is for users that wish to scan forms in production but are worried about the effect it could have on their contact forms if they have the inability to drop contact form submissions that match a given pattern. Further Guidance More guidance on other factors to consider when scanning your web applications in order to ensure a safe scan completion without impact to your services can be found at https://appcheck.zendesk.com/hc/en-us/articles/360023190733-Things-to-consider-when-scanning-web-applications
It’s strongly recommended to leave this option ticked (enabled) in order to scan forms on web applications as they are likely to be the most vulnerable areas as they accept direct user input that could be tainted. Disabling this option is usually a "sledgehammer to crack a walnut" solution, and prevents AppCheck scanning any forms and hence finding many potential vulnerabilities.