What is a Screened (Authenticated) Web Application?
Many applications will not be fully exposed on the public internet without some kind of authentication to access certain functionality. A common example might be the ordering and payment section of an online store, where an account must be created, and authentication (typically a password) used to gain access to a specific account.
Can AppCheck Authenticate to a web application and perform authenticated scanning?
Yes. It is necessary to provision a login (unique username/password) for AppCheck to use. This can then be added into a scan configuration, and the scanner will "login" to the website before performing scanning.
When configuring a web application scan, authentication can be provided either in the form of a basic username and password or, preferably, via a Go Script - see A Guide to GoScript for details.
What are the benefits of authenticated web application scanning?
With authenticated scanning configured, AppCheck scan hubs will be able to crawl a much larger application footprint (portion of the website), and build up a broader leaf graph of the application. This means that it could, for instance, discover critical vulnerabilities in the "My Account" section of a website, that would not otherwise be discoverable.
Credentialed Infrastructure Scanning
AppCheck can also perform "credentialed infrastructure scanning", which is similar in that credentials can be provided for infrastructure layer scanning - this takes the form of SSH details (Linux/Unix) or WMI username/password for Windows hosts.
For more details see https://appcheck.zendesk.com/hc/en-us/articles/360011113914-Credentialed-Infrastructure-Scanning
Potential Risks
It is important to remember that a web application scanner such as AppCheck will perform all functionality accessible in order to test it - this may in an authenticated perspective include dummy order creation or deletion for instance, or changing of account/user details.
It is therefore very important to ensure that a unique user account is used dedicated to AppCheck, and if possible that a test/staging instance be scanned before a production instance is scanned.
For more information see https://appcheck.zendesk.com/hc/en-us/articles/360023190733-Minimising-Risk-of-Web-Application-Scanning
Comments
0 comments
Article is closed for comments.