What is "whitelisting"?
The web is built upon a "request-response" model of traffic over HTTP. Modern network devices used to screen webservers - such as packet filtering firewalls, web application firewalls, application delivery controllers, Intrusion Prevention Systems (IPS) and Unified Threat Management (UTM) systems - are often configured to either temporarily or persistently block web requests from clients if they submit requests that match certain criteria, such as exceeding a certain request rate, or containing known or suspected attack payloads.
Whitelisting is a term that describes configuration options that allow the override of such automated request blocking for trusted sources.
Why is whitelisting needed?
The AppCheck NG system scans for thousands of vulnerabilities in your web applications and network infrastructure. Since security scanners such as AppCheck may submit both a high volume of requests as well as requests containing known attack patterns, many of the network device types outlined above will categorise much of the submitted security checks (requests) from AppCheck's scanners as malicious traffic, and block it. If the IPS then prevents further connections from the scanning IP address, the scan will become ineffective at identifying vulnerabilities that could otherwise be exploited.
Whitelisting can be used to proactively permit all requests from AppCheck to the protected environment or endpoint, without being blocked or refused. You can find more information on the concept of whitelisting for security scanners at https://appcheck.zendesk.com/hc/en-us/articles/360001069893-Whitelisting-AppCheck-on-your-Firewalls-and-IPS
What is an HTTP User Agent?
An HTTP user agent is a string sent by a browser or other client as part of the metadata accompanying the HTTP request to a server. Its primary intended purpose is to allow appropriate content negotiation (decisioning on what response to serve) based on known capabilities (such as screen resolution) of the agent in question.
How can a user agent be used to identify source of traffic?
Over time the HTTP user agent has also come to be adapted by clients to include characteristic identification strings identifying the operating party for the client (in this case AppCheck) - such as the operating party's name, reference URL or contact email address.
What user agent does AppCheck use?
The AppCheck scanner will not use a single consistent user agent for all HTTP requests. This is for various reasons, including the use by different modules within AppCheck of different user agents, as well as more esoteric reasons such as attempts to "fuzz" the user agent string itself as a very specific vulnerability type if the metadata field is vulnerable to injection or overflow vulnerabilities, for example.
How can I whitelist traffic from AppCheck based on user agent?
We don't encourage whitelisting by user agent because:
- As outlined above, the scanner by necessity will not use a single consistent user agent in all circumstances; and
- Since the HTTP user agent is recorded unencrypted in application and proxy logs, it is vulnerable to sniffing/interception and hence spoofing - that is, an attacker could discover and provide the AppCheck user agent in their own requests, and be duly whitelisted by the screening network device, leaving the server vulnerable to attack
If I cannot whitelist the user agent, how can I whitelist AppCheck traffic?
Since the user agent can be spoofed, AppCheck highly recommends that traffic related to its scanners is instead whitelisted based on source IP address. The source IP address will be client-specific in the case of deployed internal hubs, however for the majority of scanning (all that is performed from our cloud scanners) you can view the IP source list to whitelist on your screening network device (eg IPS and firewall) at https://appcheck.zendesk.com/hc/en-us/articles/115002550565-What-is-your-IP-range-so-I-can-whitelist-the-scanner-