OWASP Automated Threat (OAT – 014) Vulnerability Scanning

Vulnerability Scanning – Crawl and fuzz application to identify weaknesses and possible vulnerabilities.

What is Vulnerability Scanning?

Vulnerability scanning is the systematic enumeration and examination of identifiable, guessable and unknown content locations, paths, file names, parameters, in order to weaknesses and points where a security vulnerability might exist. Vulnerability scanning includes both malicious scanning and friendly scanning by an authorized vulnerability scanning engine.

A vulnerability is considered as any weakness or area open to attack in an application that allows an attacker to cause harm to the application. A vulnerability can be caused by a design flaw or an implementation issue and if compromised, can cause harm to the application users, owners or other items that perform actions relied on the application.

Vulnerability scanning is also known by the terms such as active/passive scanning, application specific vulnerability discover, identifying vulnerable content management systems and content management systems components, known vulnerability scanning, malicious crawling and vulnerability reconnaissance.

The Symptoms of Vulnerability Scanning

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of vulnerability scanning. These include,

  1. A highly elevated occurrence of errors (e.g., HTTP status code 404 not found, data validation failures, authorization failures)

  2. Extremely high application usage from a single IP address

  3. Exotic value for HTTP user agent header

  4. A high ratio of GET/POST to HEAD requests for a user/session/IP address compared to typical users

  5. Low ratio of static to dynamic content requests for a user/session/IP address compared to average users

  6. Multiple misuse attempts against application entry points

  7. Parameter/header fuzzing

Sectors Targeted by Vulnerability Scanning

The major sectors targeted by vulnerability scanning security threat include education, entertainment, financial, government, health, retail, technology and social networking industries.

According to the Automated Threat Handbook for Web Applications published by OWASP, these attacks result in misuse of various types of data. That includes authentication credentials, payment cardholder data and other financial data; medical and other personal data; intellectual property and other business data; and public information.

Ways to Prevent Vulnerability Scanning

OWASP suggests several possible countermeasures to address the threat of vulnerability scanning. These include,

  1. Organizations can consider limiting the number of input validation and/or authorization failures per session/user/IP address/device/fingerprint.

  2. Consider randomizing the content and URL’s of payment submission pages and payment forms, linking these changes to the individual user’s session, verifying the changes at each payment step and restricting any identified automated usage.

  3. Identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application. They can also use address and card reputation services and add delays in the checkout steps for new and rare customers.

  4. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

All of the above proactive measures fight back against malicious users, without causing harm to the legitimate users. Online businesses can also opt for a bot mitigation solution that prevents vulnerability scanning and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

By deploying these methods, you build a more robust defense against vulnerability scanning and other similar security threats.