Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 8 May 2020
GitLab / Secure Stage / 8 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Types of DAST scans

Description

A video where we discuss the differences between:

Passive scans
Active scans
Full scans
API scans
Authenticated scans

A

All right, so what I wanted to do is just talk about the active passive, active scan, passive scan, full scan, API scans and authenticated scans, all of which are mentioned in our documentation in one form or another. So let me share my screen here and we can kind of work through what these are. You able see my screen here. I am alright, so we've got active and passive scans which in our documentation we refer to, but we don't actually have them as environment variables and I.

A

Think that's one of the reasons that there's a little bit of confusion with how these work. So, if you look, we've got a baseline scan, it says, execute a baseline scan, but it won't actually attack your application but there, but you can also configure it for an active scan and then down here we have a full scan which runs an active scan and I. Think that's a little bit confusion. So what I wanted to just do is quickly define these so an active scan.

A

Well, let's start with a passive scan which is really just a spidering of your site, right, yeah,.

B

And specifically, so is that the tool that does depends on is a proxy server. So that means when you set up a proxy server in your browser, if you navigate to a website, if the request goes via SAP to the website, and then the response comes back via SAP to your browser and we show on the page a passive scan. All it means is that as app handles, that request and response on the way through it reads the the headers in the URL and and the bodies and runs vulnerability rules against them to work out.

B

If there's any vulnerabilities, so it's passively trying to find vulnerabilities. That's, why is that call it a passive skin? So.

A

That basically sits in the middle, and it just just looks at the requests that are going through. It doesn't do anything with the requests it just analyzes them. It's it's very hands-off. It's saying: okay, I'm, seeing the traffic go through I see what it's doing. Here's the problems I see with it, I'm just gonna, pass that traffic through I'm not gonna, do anything with it. Yeah.

B

So it's it! It's passively scanning now zap offer a zap baseline script which helps users passively scan and that actually does more than passively skin. It actually spiders your website too, so it it basically goes and loads. A webpage finds all the links follows all the links loads. Those webpage follows those links, etc, and while it's following those links, it's obviously doing the passive scanning and that's called as app baseline, scan. Okay.

A

So maybe a better definition of passive is actually just sitting in the middle and looking at the results, passiveness the baseline is what is actually including the spidering correct, okay, so passive is just sitting in the middle. Looking at the results and doing some analysis, it's not necessarily responsible for generating the new URLs or figuring out what URLs need to be scanned. Yeah.

B

I I I consider the whole spidering or using the Ajax spider or pausing in a an API definition to be kind of discovering the attack surface of your website. The baseline scan like discovers the attack surface and in doing so passively scans what it finds. Okay,.

A

And I think what's important with this app baseline. Is that it's not so it just discovers the attack service, but it's not doing anything. Malicious I would.

B

Actually, disagree with that, because, typically when we talk about HTTP requests being safe as an example, we typically mean they're doing requests that won't change State on the server side, but and that typically limits them to operations like get methods on it on a HTTP and when making HTTP requests the thing about the zap zap. Is it the the attack surface or finding the attack service also makes post requests to forms? Okay makes it unsafe, so I think on our documentation.

B

We actually mentioned that it's you know you should only do it a passive or don't do an active scan on production website. I would actually say: don't do any scan on a production website. Okay,.

A

So the baseline can actually can post data I believe so yeah.

A

So it has the potential of being malicious, I think the goal is that it's not it's not aggressive, but what you're saying is. It does have the potential of causing problems. Yeah yeah.

B

Certainly it's its goal isn't to be malicious, but it can cause problems. Okay,.

A

And then tell me a little bit of how you would define an active scan versus a passive scan here. So.

B

So once the attack surface has been discovered and active, scan introduces more vulnerability, definitions that for for each URL and method discovered in the attack surface, they will target and maliciously try and break or discover vulnerabilities against that URL. So, for example, the path traversal might take the URL and then you know deliberately chunk parts of the URL off and and try and make requests to to find access to things as I shouldn't have otherwise being able to access. So.

A

It's gonna actually manipulate the request in a way that this spider did not intend right. So a spider is gonna, pass in URL, parameter, strings or whatever that it found on a page and the active scan is gonna, say: hey I, see what those variables are. I'm gonna, actually change. Those and I'm gonna try to to be bad with those yeah.

B

And which means it actually makes new requests? Okay, so, where, as a passive scan will just you know, it will just pass on the requests you have made, an active scan will say: oh I, see you've made this request, I'm going to actually try and break that even further by making a hundred more requests each changing the parameters and seeing what I can break okay and you can configure the active scan to work out.

B

You know whether you want to do this at a medium kind of level or at an insane kind of level, and that reflects how many more requests you want to make.

A

Configurable to determine the level of requests, / manipulation, that's right! Alright, that's my understanding, anyway, cool and then should these are built in active and passive scan. Concepts are built into Zapp and they have a set of rules that are associated with each of those so and we could take a look at the code shortly like it loads in a set of rules for active or it loads in a set of rules for passive now Zapp by itself does not have a concept of a full scan.

A

A full scan is actually I, think kind of a gitlab nomenclature when you run a full scan according to our documentation right here, so you say: gasps full scan enabled if we go back here. What is that doing? Is it running active? Is it running passive? What like what parameters? Is it using? It's.

B

Essentially doing everything does that by salon scan does so it it tries to determine the attack surface in doing so, it doesn't passive scan and then, on top of that, it then triggers an active scan.

A

Okay, perfect so.

B

Show, based on the URLs that found in me.

A

So if you're not running a full scan in gitlab you're running a baseline scan right, correct, okay, so non full scan.

B

Is this app baseline? The only exception to this is an IPO scan, but we'll get to that yep.

A

And then I think one thing that's important in here is that when you run the Zap baseline by default, it's limited to 60 seconds and then by default of the full scan is not time limited. What.

B

Do you, what are you suggesting is limited to 60 seconds? It's certainly a passive scan. Sorry, a baseline scan can run longer than 60, so.

A

Yeah, so by default. So if you don't change those parameters but.

B

That's not the job one timeout after 60 seconds right.

A

Right but like, for example, if you just set up the scanner just out of the box, you know the include and then the URL it's gonna run a baseline and that's defaulted to 60 seconds. So it's gonna run for a minute and then it stops. There's my understanding. Okay I thought otherwise, but we should. We should figure that out. Okay, so my understanding is, it runs for 60 seconds and that's part of my question and we can get into this is.

A

Is you basically have a baseline, which runs a passive scanner for 60 seconds or you have a full scan which runs the whole site for an indefinite period of time and there's no there's no spectrum. Unless you get into the configuration I.

B

Suspect that 60 seconds might be limiting the time that you try and discover the attack surface, okay, which yeah we can. The baseline case is spidering, but okay, yeah, oh.

A

Yeah, maybe we take a look at that shortly and then tell me a little bit about what the API scan is and how that's different from from these other ones. So.

B

I mean we've essentially hidden away the difference, but under the covers, it calls a dip script. But the big difference is when, when determining the attack surface, it doesn't spider well, I think it tries to spider as well, but predominantly it determines the attack surface by reading an API definition using the open unit, open API specification and then once you've got the so that gives you all the URLs of your restful endpoint, which it then tries to I. Think it's spiders it.

B

So it can essentially call them using HTTP requests, which it does a passive scan while that's taking place and then there's an opportunity to do an active skin once that is complete.

A

Against so it runs a passive scan against those URLs and then, when you say you can run an active scan. Is that a parameter that you would pass into the script? I think.

B

It's I think it is something worked out like that. Certainly the way it was developed was so that that the same variable that triggers that allows you to turn a full scan on and off will trigger an active scan when it's an API skin. Okay,.

A

Cool and then the last item is, we have authenticated scans and.

A

My understanding of the way authenticated scans are: is they really apply to either the full scan or than the non full scan? And it's really not a scan itself? It's just the ability to authenticate into the website. Yeah.

B

So traditionally, a lot of websites have a login gateway at the side of their website. So obviously, if you run dust on a site like that, you would only be testing the public part of the website, because dust wouldn't be able to login. You wouldn't be scanning any of the pages beyond the login gateway, so we're trying to allow people to log in now on a typical website, most of them use JavaScript.

B

So dust has the ability to launch a browser, type, the username and password and submit the form it saves the cookie and then with every following request that is made by dust. It sends the same okey, so the website thinks you logged in that's one method of authentication and there's.

A

The authentication scam that will work for either the the full scan or the non full scan correct.

B

Okay, now for an IPO scan, it's it's different, because you don't have a page where he knew the logs in an API scan. Typically, authentication is performed using some kind of authorization. Toka token, you know, request header, so there's a slightly different process for authenticating API scans, but it's essentially the same thing: you're trying to get best access to the endpoints.

A

Spiders.

A

Perfect and so API scans, this authenticated via headers sent in yeah instead of the authentication authentication.

A

Fields that defines yeah perfect any other differences that we should talk about on these couple of scans. No, that I'm aware of all right, perfect, you all know we can stop the recording there.