Most of the DAST(Dynamic application security testing) scanners work pretty much the same at a very high level. It can be generally broken into 3 phases. For each phase scanner has a different module. These 3 phases are discussed below.
Crawl Phase
Firstly each scanner has a crawler module. The scanner first kicks-off with the starting url, e.g. www.example.com, and then captures all the linked pages it can find on that page. Next it visits those linked pages and from there tries to find if any new pages have been found and on and on. It keeps a track of the found pages to ensure it doesn't waste time on duplicates.
At the same time it records any forms which it encounter on those pages. Then it tries to submit that form with correct data to discover new pages in the application and the cycle continues. It goes on till it would fill out all the forms found.
This way an automated scanner tries to map out an application to cover most pages of the application and gather Request and Response pairs. Scanners essentially need these request and response to perform the test cases.
To summarize the crawl phase:
Input to this phase is usually a Starting URL.
Output would be list of request and responses or Crawl data.
Detection/Scan Phase
In this phase the Scanners would use its detection module on the request and responses captured during crawl phase to detect vulnerabilities. To do this, detection module uses certain of checks or a set of pre-defined test cases.
Crawl data is run through or feed to these set of test cases for detecting vulnerabilities. based on which test case the vulnerability is found the scanner decides it Rating(High, medium, low).
The scan stops when the scanners goes through all the crawl data for detecting vulnerabilities and no more new pages or forms are discovered.
To summarize the Detection phase:
Input to this phase is usually a Crawl data.
Output would be list of Vulnerability discovered or Scan data.
*Scanners would usually run the scan phase with crawl in parallel. Number of threads for each can vary.*
Reporting
Each scanner usually has a reporting engine. The scan data upon scan completion is usually in a scanner readable format. These formats are usually not very convenient for sharing and are not human friendly for manager or testers to process.
For this reason the the scanners would process the scan and crawl data it found in the scan and convert it into a human readable format. Each scanner may have various formats in which the reports may be presented, e.g HTML, PDF, XML, Word.
For portability HTML and PDF reports work best. For automation XML formats are generally used.
Some Enterprise version may additionally provide Bug tracking capabilities as well.
To summarize the Reporting phase:
Input to this phase is usually Scan and crawl data.
Output would be neatly organized Vulnerability Report with findings and graphs.
Crawl Phase
Firstly each scanner has a crawler module. The scanner first kicks-off with the starting url, e.g. www.example.com, and then captures all the linked pages it can find on that page. Next it visits those linked pages and from there tries to find if any new pages have been found and on and on. It keeps a track of the found pages to ensure it doesn't waste time on duplicates.
At the same time it records any forms which it encounter on those pages. Then it tries to submit that form with correct data to discover new pages in the application and the cycle continues. It goes on till it would fill out all the forms found.
This way an automated scanner tries to map out an application to cover most pages of the application and gather Request and Response pairs. Scanners essentially need these request and response to perform the test cases.
To summarize the crawl phase:
Input to this phase is usually a Starting URL.
Output would be list of request and responses or Crawl data.
Detection/Scan Phase
In this phase the Scanners would use its detection module on the request and responses captured during crawl phase to detect vulnerabilities. To do this, detection module uses certain of checks or a set of pre-defined test cases.
Crawl data is run through or feed to these set of test cases for detecting vulnerabilities. based on which test case the vulnerability is found the scanner decides it Rating(High, medium, low).
The scan stops when the scanners goes through all the crawl data for detecting vulnerabilities and no more new pages or forms are discovered.
To summarize the Detection phase:
Input to this phase is usually a Crawl data.
Output would be list of Vulnerability discovered or Scan data.
*Scanners would usually run the scan phase with crawl in parallel. Number of threads for each can vary.*
Reporting
Each scanner usually has a reporting engine. The scan data upon scan completion is usually in a scanner readable format. These formats are usually not very convenient for sharing and are not human friendly for manager or testers to process.
For this reason the the scanners would process the scan and crawl data it found in the scan and convert it into a human readable format. Each scanner may have various formats in which the reports may be presented, e.g HTML, PDF, XML, Word.
For portability HTML and PDF reports work best. For automation XML formats are generally used.
Some Enterprise version may additionally provide Bug tracking capabilities as well.
To summarize the Reporting phase:
Input to this phase is usually Scan and crawl data.
Output would be neatly organized Vulnerability Report with findings and graphs.
No comments:
Post a Comment