Web applications are often vulnerable via either URL GET parameters or else POST (form) fields. We therefore by default scan forms with thousands of alternative payloads to test if they are vulnerable to weakness such as injection vulnerabilities.
Whenever the AppCheck scanner finds a URL containing a form that we can identify as a contact form then we will submit values to the form, identifying ourselves using the default email address firstname.lastname@example.org. Your scanned application may respond to this in a number of ways, such as by sending an email to email@example.com, or by sending an email to an address within your organisation using firstname.lastname@example.org as the from address.
Workaround to prevent spam during scanning
One option is therefore to create a forwarding rule to identify emails from this sender and route them to a junk/spam folder.
Alternative steps that you could take include:
- Identifying which page/forms on your site submit emails and ensure that these are protected by ReCaptcha or other devices to prevent submissions by bots etc if you wish to prevent both AppCheck and actual malicious users bombarding you with almost unlimited numbers of emails;
- Identifying which page/forms on your site submit emails and adding the submit URL to the blacklist in the scan configuration
- It is possible to disable either just contact form submission or all form scanning using options in your scan configuration settings. However this is a less favoured approach since it presents AppCheck finding and reporting on vulnerabilities in your scan forms
The two levels at which you can disable scanning of forms in your scan settings can be found under Web Application Scanner Settings and are:
It’s strongly recommended to leave this option ticked (enabled) in order to scan forms on web applications as they are likely to be the most vulnerable areas as they accept direct user input that could be tainted. Disabling this option is usually a "sledgehammer to crack a walnut" solution, and prevents AppCheck scanning any forms and hence finding many potential vulnerabilities.
Avoid Contact Forms
This option is for users that wish to scan forms in production but are worried about the effect it could have on their contact forms if they have the inability to drop contact form submissions that match a given pattern.
More guidance on other factors to consider when scanning your web applications in order to ensure a safe scan completion without impact to your services can be found at https://appcheck.zendesk.com/hc/en-us/articles/360023190733-Things-to-consider-when-scanning-web-applications