Whitelisting AppCheck for Access to Your Network or Applications

What is Whitelisting?

A whitelist (or, less commonly, a passlist or allow-list) is a security mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default. It is the opposite of a blacklist which is list of things denied when everything is allowed by default.

What is IP-based Network Whitelisting?

Modern firewalls and Intrusion Prevention Systems (IPS) can be configured to persistently ban or block requests from IP addresses. This can be done either proactively (based on a set provided list, and typically implemented on a firewall) or reactively (blocking IPs dynamically if the IP is seen to submit requests containing known attack signatures. 

When is whitelisting of IPs required for AppCheck?

There are two main circumstances where you will need to proactively whitelist AppCheck's IP addresses:

To allow access through firewalls to source-restricted sites and services

The majority of websites on public IP addresses are "open" by default, meaning that they permit traffic from any/all IP addresses by default. However, some services, such as administration portals for Content Management Systems (CMS) or employee-facing systems such as Intranets and payslip or HR portals may be source-restricted to permit access only from certain IP ranges, such as the company's own networks and its VPN.

If you wish to scan such systems then you will need to whitelist the AppCheck source IP addresses in order to scan them.  Please note that if the systems are fully internal on a internal RFC1918 address in the rang 192.6.18.0.0, 10.0.0.0 or 172.16.0.0 then you will instead require an internal hub to be deployed to your network - please speak to your account manager for details.

To ensure the scanner is not blocked when accessing "open" public websites that are protected by a WAF or IDS

Some devices, such as Web Application Firewalls (WAFs) or Intrustion Prevention/Detection Systems (IDS/IPS) are used to "screen" public websites, and to reactively block IP addresses that are seen to submit malicious requests. The AppCheck NG system scans for thousands of vulnerabilities in your web applications and network infrastructure and it does by making benign requests that nevertheless mimic malicious traffic. These requests may cause AppCheck's scanners to trigger your WAF/IDS and become blocked and unable to scan further. Any IPS system regardless of its levels of sophistication may detect many of the submitted security checks as malicious traffic even though they are in fact benign and authorised and will blacklist the AppCheck IPs. In this context, black listing means that the offending IP address is prevented making future connections to the systems being scanned.

If the IPS system then prevents further connections from the scanning IP address, the scan become ineffective at identifying vulnerabilities that could otherwise be exploited. To gain the best coverage from your security assessment, the AppCheck Scanner IP address ranges should be added to the “whitelist” of any gateway device that could “black list” AppCheck based on one or more of its security checks. 

To ensure the scanner is not blocked when scanning websites that are protected by a CDN or DDoS mitigation service such as Cloudflare, Amazon Cloudfront, or Prolexic

Similar to the screening provided by cloud or data-centre based WAFs and IDSs, it is also possible to whitelist AppCheck to permit it to scan websites that are screened by CDN or DDoS mitigation services such as CloudFlare.

Please also see our dedicated FAQ/knowledgebase article on this, at  https://appcheck.zendesk.com/hc/en-us/articles/4436643250705 

What are AppCheck's IP addresses which I should whitelist?

An up to date list is maintained in the following FAQ: What is your IP range so I can whitelist the scanner?

Does whitelisting AppCheck make it an unfair test?

Advanced vulnerability scanning solutions such as AppCheck aim to detect as many security flaws as possible, safely and accurately. The aim of a vulnerability scan is not to "test" a vulnerability scanner's ability to model a malicious attack, but rather to detect as many vulnerabilities as possible, in order that they may be fixed before being exploited. If AppCheck is not whitelisted, you may gain a false sense of security of your operated services and believe that no vulnerabilities exist. AppCheck always recommends whitelisting.

Can AppCheck be used to test the effectiveness of my Intrusion Prevention System (IPS)?

AppCheck, like all vulnerability scanners, will trigger IPS rules. There are several approaches that can be adopted to test the IPS as well as the target applications and systems.

A common approach is to run two scans, one with white-listing enabled and another without. It recommended that the IPS system is configured to block known attacks, but not black list the IP address.

AppCheck adopts a "first principles" approach to detecting vulnerabilities. In short this means each application component is methodically tested, starting with subtle manipulation of each client request building up to more complex payloads that full exploit the security flaw. In many cases this allows AppCheck to accurately detect security flaws without submitting fully formed payloads that are detected by the IPS.