Key tech

Black-box application security testing

During black-box security analysis only the client-side code is available. Analyzing server side is only possible by interacting with its interface endpoints.

Black-box vulnerability testing usually consists of three stages:

Attack surface enumeration: searching for available server-side endpoints (API endpoints);

Sending requests with attack vectors to discovered endpoints;

Analyzing results.

Advanced security-aware crawling

Our advanced crawling technology is specially designed for automatically discovering all available server-side endpoints, thus addressing the first stage.

There are several ways to discover server HTTP endpoints in a black-box setting:

Inferring them from the client side by determining which requests can be sent from it;

Fingerprinting software running on the server and using previously known endpoints specific for it (for example, known WordPress endpoints);

Fuzzing the server with requests generated using a dictionary and analyzing responses — technique known as dirbusting.

JavaScript static analysis for API enumeration

Our advanced crawling technology utilizes static analysis of the client side code along with more traditional dynamic crawling with headless browser and security-aware static crawling.

Our static analysis technology infers server endpoints from client-side JS code with nontrivial value and code paths analysis for the purpose of web application security scanning.

Advanced crawling

With our advanced crawling technology we can:

Detect server endpoints from the dead, unreachable or commented client code;

Detect server endpoints from the client code, which is active only for authorized client area or admin area;

Use OpenAPI/Swagger API specifications and other sources of information about the endpoints as starting points for analysis and crawling.

This gives us the best attack surface enumeration available on the market.

Pitfalls of traditional dynamic crawling

The most important quality metric of searching for endpoints is completeness.

Dirbusting and fingerprinting can’t, in general, determine all endpoints, especially for non-standard, custom-written software.

Being able to infer server endpoints from client side is of vital importance for a black-box scanner to get adequate endpoint coverage.

Dynamic crawling

Dynamic crawling is automated interaction with web page interface elements using a headless browser, simulating user actions and observing the requests being sent to server.

Although dynamic crawling often works well, there are cases when it fails to discover some endpoints. Sometimes the user interface is too complex to be crawled completely. Making all possible user actions may require too much time. In such cases a crawler would stop before completing, probably missing some endpoints.

Furthermore, sometimes JS code accessing an endpoint is impossible to trigger from the user interface at all — essentially, this is dead code. Such code still provides interest for the scanner and can access working parts of the server. We call such endpoints hidden endpoints.