When configuring an authenticated web application scan one of the first decisions you need to make is what user account the scan should log in with.
As discussed in Minimising Risk of Web Application Scanning, the account you select should be:
- Non-privileged (if scanning in production)
- Only used for scanning
- Unique
- Controlled by AppCheck (Optional)
- Random Password
Non-privileged (if scanning in production)
With a few exceptions, the scanner will follow every link and click every button in can find. While there is some protection in place to prevent things like changing passwords or deleting items this protection is not perfect and such functions may be triggered if available. Therefore do not use an account that has access to do anything you don't want done. To scan sensitive areas with a privileged account use a non-production environment.
This is particularly important when scanning things like control systems for industrial machinery, but scanning these is probably a bad idea with any account, in case said account has access (or a vulnerability grants access) to controls it isn't meant to have, which could have dangerous effects.
Only used for scanning
This is primarily to avoid interfering with data that may affect real-world users, but also avoids the slight risk of real-world users altering data mid-scan that may affect the scanner's ability to detect certain vulnerabilities.
For example, some vulnerability detections involving injecting data on one page, then later in the scan seeing that data presented elsewhere in the application. If a human user (or, indeed, another scan, see Unique, below) were to alter or delete that data while the scan is running then that vulnerability may not be found.
Unique
If the scan triggers an unexpected behaviour in your application, you will know exactly which scan was responsible, and finding relevant log lines will be easier.
In this context "unique per scan" means per saved scan configuration, you do not need to create a new user each time the scan runs.
Controlled By AppCheck
If the account's email address is controlled by AppCheck, then the scanner can make use of emails sent to it, for example:
- As part of Multi-Factor Authentication
- To test password-reset functionality for vulnerabilities
AppCheck provides a tool for generating a unique email address on a domain we control and which can be accessed by the scanner. You can use the following link to generate a new address:
https://ptst.io/generate_random_account
The password generated here is merely a suggestion, it is not used to access the emails
To view the latest email sent to your randomly generated @ptst.io address, use this link, with your new email address on the end, after the =
https://ptst.io/latest_email_by_to?to=
These emails are publicly accessible (though if you have used a unique address then only yourselves and AppCheck will know the URL, and only the latest email is accessible). Do not send confidential information to these addresses.
Random Password
There are several reasons to use a randomly generated password. As well as security benefits, there is a feature of AppCheck's scanning that can be affected by a badly chosen password.
The scanner will attempt to identify application components that change or reset the account password and will avoid activating them. If the password is a common word, or the name of the application or organisation, then it may appear in places within the application, and those places may be incorrectly identified as password changing functionality, and will therefore not be scanned.
For example, if your application contains the URL is https://example.com/foo and your password is "foo", then the scanner may avoid that part of your application, since it believes https://example.com/foo is related to password changing.
This functionality can be changed or disabled, but this is not recommended. Instead, we recommend using a randomly generated password (you may choose to use the one suggested by https://ptst.io/generate_random_account).
Comments
0 comments
Article is closed for comments.