Active vulnerability scanner in Wallarm

An important difference between Wallarm and many other products, including the famous WAF, is its detection not only of hacker attacks, but also web application vulnerabilities. To make a truly quality vulnerability detector, we had to consider all the approaches that already exist — and develop our own.

A crawling problem

An efficient vulnerability search is impossible without an understanding of how web applications are structured. However, many of today’s applications use an asynchronous work model with clients, web sockets, and other modern HTML5 technology — all this renders the old approaches to data collection (crawling) ineffective. To get the structure of the project, vulnerability scanner developers have to embed a full-fledged browser into them — but even in this case, collecting information about the application remains an extremely labor-intensive task, which increases the time needed for project verification. But Wallarm already has all network HTTP traffic at its disposal, so for us, crawling applications is nothing out of the ordinary. If users use web application, Wallarm understands how this application works.

Fight hackers using their own methods

The usual approach to security scanning looks more like a unit and functionality test. We wait for a response from the scanner about whether the check went through or not. All responses are processed manually. Developing Wallarm’s scanner, we tried to get approximate it as closely as possible to how a person works while auditing an application’s security. A person will study the application after receiving access — and we want the same thing from the Wallarm scanner. It breaks down conventional approaches to scanning, translating them into an offensive way. Wallarm can exploit vulnerabilities to expand the scope (of course, if Wallarm customer wants it). It is “fight hackers using their own methods” approach.

Vulnerability scanner modes

You can select the operating mode of the active scanner in the scanner’s settings:

• off — the active scanner is completely turned off. In this case, the search for vulnerabilities is performed only by a passive vulnerability scanner by analyzing request content and web application responses.
• classic — this work mode is the same as all classic vulnerability scanners. Except, vulnerabilities are discovered by sending attack vectors and checking the application’s response to them.
• gathering — discovering vulnerabilities with the ability to gather data through vulnerabilities passively. That is, for example, if the /server-status is open or server is vulnerable to Heartbleed. The scanner can gather data and use it for training. One more example — if stack trace goes down, then Wallarm can analyze its contents to obtain a list of the project classes used, etc.
• offensive — work mode with the ability to actively exploit vulnerabilities. So, if vulnerabilities are detected, the RCE scanner can execute commands (like, for example, Is -IaR).