By default AppCheck is configured to get the best out of most applications in a reasonable amount of time, however in some instances if you know your application inside out it can be good to tweak these settings both to look for more vulnerabilities and also to decrease the time required to perform a scan.
One of the quickest ways to tweak the settings is to alter the scanner profile settings within the Web Application Scanner Settings section. This alters some of the defaults on a scan to enable of disable features of a scan that impact where we look for vulnerabilities and can have an impact on scan time. By eliminating some of these checks and avoiding edge cases the scan time can be improved upon.
- Forced discovery, this option controls if the scanner is to attempt to discover resources that would not normally be discovered during in crawl, looking for potentially hidden dangerous paths such as .git and .svn repositories
- DOM XSS checks, this option tells AppCheck to use real browsers to detect and confirm XSS vulnerabilities. These checks can be very expensive and disabling this is not recommend but by switching this option off scan time can be decreased.
- Scan REST paths, with this option enabled AppCheck will scan the URL paths for vulnerabilities, this is only applicable when using a routing system for an application and if paths are confined to actual folders it isn't required.
- Scan parameter names, this option instructs AppCheck to scan the names of parameters for vulnerabilities and not just the values. With this option enabled the attack surface of all parameters is doubled.
- Scan referrer headers, with this option enabled AppCheck will attack the referrer header of an application.
- Scan Cookie headers, with this option enabled AppCheck will attack the cookie header of an application.
- Scan user agent headers, with this option enabled AppCheck will attack the user agent header of an application.
- Scan all other headers, with this option enabled AppCheck will attack the every header of an application.
|Profile||Forced Browsing||DOM XSS Checks||REST Path Scanning||Param Names Scanning||Referrer Header||Cookie Header||User Agent Header||All Other Headers|
Another option for reducing the scan time is to disable some plugins, currently the interface for doing this is a little clunky and over time it will be improved upon to provide a full list of plugins and a description of their function. For now we have provided a selection of plugins that can be switched off given you know the ins and outs off your system.
The interface for disabling plugins is not available automatically to customers and you may need to request a member of support to help you in disabling plugins.
|WordpressScanner||Looks for Wordpress specific flaws and vulnerabilities if you are not using Wordpress this can be safely disabled.|
|JoomlaScanner||Looks for Joomla specific flaws and vulnerabilities if you are not using Joomla this can be safely disabled.|
|UmbracoScanner||Looks for Umbraco specific flaws and vulnerabilities if you are not using Umbraco this can be safely disabled.|
|DrupalDetection||Looks for Drupal specific flaws and vulnerabilities if you are not using Drupal this can be safely disabled.|
|NiktoDbPlugin||Perform discovery against the NiktoDB of known vulnerable paths mostly relates to known CGI and Flash programs it can be quite expensive if you are sure that you are not using anything in there then it can be switched off.|
|WSDLTargets||Attempts to discover WSDL endpoints for attack, if you are not using SOAP or WSDL then this can be switched off.|
|Sqli2||If you are not using an SQL database it's safe to switch of the SQLi plugin.|
There are a couple of advanced use config flags within AppCheck that enable / disable some features. Most of the time these are available for our technical team to be able to test new features before adding them into the main scanner, other flags may change the behaviour of the scanner in some ways.
Please contact AppCheck support for a list of available configuration flags.
Article is closed for comments.