OWASP Automated Threats - OAT-014 Vulnerability Scanning
Introduction:
In this OWASP Automated Threat Article we'll be highlighting OAT-014 Vulnerability Scanning with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Vulnerability Scanning can be a threat to your applications and how to quickly offer protection from these automated scanners. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.
Description:
Systematic enumeration and examination of identifiable, guessable and unknown content locations, paths, file names, parameters, in order to find weaknesses and points where a security vulnerability might exist. Vulnerability Scanning includes both malicious scanning and friendly scanning by an authorised vulnerability scanning engine. It differs from OAT-011 Scraping in that its aim is to identify potential vulnerabilities.
OWASP Automated Threat (OAT) Identity Number
Threat Event Name
Vulnerability Scanning
Summary Defining Characteristics
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
OAT-015 Attack Demographics:
| Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
| Entertainment | Application Owner | Other Business Data | Active/Passive Scanning |
Highly Elevated Occurrence of Errors |
| Financial | Public Information | Known Vulnerability Scanning |
Extremely high application usage from a single IP address |
|
| Government | Malicious Crawling |
Exotic value for HTTP user agent header |
||
| Retail | Vulnerability Reconnaissance | Disproportionate use of the payment step | ||
| Technology | High ratio of GET/POST to HEAD requests for a user | |||
| Social Networking | Low ratio of static to dynamic content requests for a user/session/IP address compared to typical users | |||
| Education |
Protecting your Applications from Vulnerability Scanning:
In this demo we will be showing how attackers leverage scanning tools to search for vulnerabilities. We'll then have a look at the same attack with F5 Distributed Cloud protecting the application.
In Conclusion:
Vulnerability scanning occurs across the internet constantly to all exposed surfaces from many locations, regions and systems. Some of these have good intentions, some do not. Our goal is to limit exposure and to minimize risk. By blocking bad bots and only allowing good bots you are protecting your applications from threat actors possibly finding a vulnerability and switching to a manual attack phase of your web applications.
OWASP Links
- OWASP Automated Threats to Web Applications Home Page
- OWASP Automated Threats Identification Chart
- OWASP Automated Threats to Web Applications Handbook
F5 Related Content
- F5 Bot Defense Solutions
- The OWASP Automated Threats Project
- OWASP Automated Threats - CAPTCHA Defeat (OAT-009)
- Operationlizing Online Fraud Detection, Prevention, and Response
- JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)
- How Attacks Evolve From Bots to Fraud Part: 1
- How Attacks Evolve From Bots to Fraud Part: 2
- F5 Distributed Cloud Bot Defense