Web App Scanning
F5® Distributed Cloud Web App Scanning is an offering that lets you discover exposed assets and run automated penetration tests of your web applications and APIs. In this article, we will cover the core concepts related to the Scan and Recon services in Distributed Cloud Web App Scanning. This article is divided into three sections.
- Scan Concepts
- Recon Concepts
- General Concepts
Scan Concepts
The Scan service in Distributed Cloud Web App Scanning is F5's Dynamic Application Security Testing solution for web applications and APIs.
Penetration Test
A penetration test is a simulated cyber attack against your computer system to check for exploitable vulnerabilities. In the context of Distributed Cloud Web App Scanning, this would be done against your web applications and APIs. A penetration test can be set up in minutes and require only the URL of your web app/API along with the credentials of one or more test users that Distributed Cloud Web App Scanning can use to log into your target application automatically.
The Scan service is capable of testing applications with multiple test users, allowing for the identification of vulnerabilities related to Broken Access Control. Distributed Cloud Web App Scanning supports Two-Factor Authentication and generate One-Time Passwords automatically for authentication systems that implement the RFC 6238 standard.
A test user is a user created in your web app/API for the purpose of scanning/testing your application. We recommend creating dedicated test users that will only be used by Distributed Cloud Web App Scanning.
Tests Conducted by Scan
The Scan service conducts a wide range of tests to identify vulnerabilities in your web applications and APIs. These tests are based on the OWASP Top 10, a standard awareness document for developers and web application security. The Scan service also includes proprietary tests and community-curated tests. Here are some of the tests conducted by Scan:
- Broken Access Control: Tests for issues related to the violation of the principle of least privilege, bypassing access control checks, accessing/editing other users' data, and more.
- Business Logic Attacks: Leverages multiple test users and AI to learn the functionality of the app and actively attempts to break it to find vulnerabilities associated with the logic and rules defined in the app.
- SQL Injection (incl. Blind SQL Injection): Intelligent testing for a wide variety of SQL injection issues.
- Cross-Site Request Forgery (CSRF): This is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
- Cross-Site Scripting (XSS) (Stored, Reflected, DOM-based): Comprehensive tests for HTML rendering/execution of JavaScript.
- Insecure Direct Object References (IDOR): This is when an application exposes a reference to an internal implementation object, such as a file, directory, or database key.
- Security Misconfiguration: This is a general term for when applications and systems are not properly configured for security.
- Vulnerable and Outdated Components: This is when applications and systems use components with known vulnerabilities.
- Identification and Authentication Failures: This is when applications and systems fail to properly identify and authenticate users.
- Software and Data Integrity Failures: This is when applications and systems fail to protect the integrity of software and data.
- Security Logging and Monitoring Failures: This is when applications and systems fail to properly log and monitor security events.
- Server-Side Request Forgery (SSRF): This is an attack that allows an attacker to send crafted requests from the vulnerable server to other internal systems.
In addition to these tests, the Scan service also incorporates Nuclei, a fast, template-based vulnerability scanner for web applications. Nuclei uses YAML-based templates that specify requests to be made to the target application and the patterns to look for in the responses. These templates can check for various security issues, such as subdomain takeovers, CVEs, misconfigurations, and more.
API Endpoints
The Scan service can discover API endpoints, which are touchpoints of the communication between an API and a server. The service provides full visibility into APIs with request and response payloads, automatic identification of request parameters, categorization of authentication schemes, and a detailed report of any vulnerabilities identified in APIs. This helps you understand how your APIs are being used and identify any potential security risks.
Evidence
The Scan service documents every step of the penetration test with videos, screenshots and, test cases. This allows you to examine all pages and page elements that have been crawled and tested. This documentation can be used to verify the results of the penetration test and to identify any false positives. The service also generates PDF reports that summarize the results of penetration tests. These reports can be tailored to your recipients, such as auditors or customers who require documentation.
Remediation Advice
The Scan service provides remediation advice to help you fix the vulnerabilities that are found. This advice is based on the best practices of the security industry. This can help you prioritize your remediation efforts and ensure that your web applications and APIs are secure.
Recon Concepts
The Recon service in Distributed Cloud Web App Scanning is F5's External Attack Surface Management solution, which is capable of discovering exposed assets (e.g., web servers) across your corporate domains. The Recon service only requires an apex domain (e.g., f5.com
) to get started. The service will automatically scan the Internet to uncover the services exposed by your organization (inclduing, information on the server software packages they run, information on the owners of the IPs they run on, known vulnerabilities/CVEs, and more).
Domains
The Recon service can discover exposed web apps and API services across all of your corporate domains. It does this by searching the entire internet using more than 50 different sources. This helps you identify any web applications or APIs that may be exposed to the public internet without your knowledge.
Services
The Recon service uses intelligent server fingerprinting to map the services used by your exposed applications. This generates an overview of all the vendors used in your infrastructure. This can help you identify any third-party services that may be introducing security risks into your environment.
Software
The Recon service creates an interactive map of all exposed application servers, including information on operating systems, running server software, and apps. This allows you to easily lock down exposed servers. This can help you identify any outdated or vulnerable software that may be running on your servers.
Netblocks
The Recon service looks up the netblock owner of each IP address used in your infrastructure to show which service providers are used to serve your apps. This ensures your services comply with your corporate hosting/vendor policy. This can help you identify any unauthorized service providers that may be hosting your web applications or APIs.
General Concepts
APIs
The APIs exposed by Distributed Cloud Web App Scanning allows users to manage web applications in Scan, start penetration tests, retrieve scan results, and more. Here's a summary of the APIs and their associated operations:
Scan
GET /api/applications
: Retrieves all applications associated with a customer.POST /api/applications
: Creates a new application for a customer.DELETE /api/applications/{id}
: Deletes an existing application.GET /api/applications/profiles
: Retrieves all test profiles associated with a customer.GET /api/findings/all
: Retrieves all vulnerabilities found by the Scan service, optionally filtered by application.GET /api/findings/endpoints
: Retrieves all API endpoints found by the Scan service, optionally filtered by application.GET /api/findings
: Retrieves vulnerabilities, with filtering options for application, acceptance status, and CVSS score.POST /api/scanjobs
: Initiates a new Scan job with parameters for profile ID and application ID.
Recon
GET /api/recon/services
: Exports services of all Recon jobs for a customer (in JSON or CSV format).GET /api/recon/{id}/services
: Exports services of a specific Recon job.GET /api/recon/findings
: Exports findings of all Recon jobs for a customer.GET /api/recon/{id}/findings
: Exports findings of a specific Recon job.GET /api/recon/{id}/services/key
: Exports the services of a specific Recon job using an API key for authentication.GET /api/recon/{id}/findings/key
: Exports the findings of a specific Recon job using an API key for authentication.
For additional technical details, please visit the API Documenation for Distributed Cloud Web App Scanning.
Integrations
The Scan service integrates with your software development life cycle (SDLC). It offers integrations with GitHub, Jira, Azure DevOps, and many more through Zapier. This allows you to trigger penetration tests from your CI/CD pipeline. This can help you automate your security testing and ensure that your web applications and APIs are tested for vulnerabilities before they are deployed to production.
Schedules
Both the Scan and Recon services can be scheduled to run on a regular basis. This ensures that your web applications and APIs are continuously monitored for vulnerabilities. This can help you identify and fix vulnerabilities before they can be exploited by attackers.
Supported schedules include:
- Daily
- Weekly (on one or more selected weekdays)
- Monthly (on a specific day of every mondy—e.g., every 5th day of the month)
- Scheduled one-time scans (on a specific date and time in the future)
For all types of schedules, you can select the time of day, you would like the Scan or Recon job to start.
Team Members
You can invite team members to collaborate on your apps in Scan and domains in Recon. This allows you to share findings and remediation advice with your team. This can help you improve your overall security posture by ensuring that everyone on your team is aware of the latest security threats and vulnerabilities.
Note that a team member can only be in one team with their email address. To invite the same person to multiple accounts in F5® Distributed Cloud Web App Scanning, use Plus Addressing, which is supported by both Exchange Online by Microsoft and Google Workspace.
Notifications
Both the Scan and Recon services can send you notifications when new vulnerabilities are found. This allows you to take immediate action to fix the vulnerabilities. This can help you prevent attacks and protect your web applications and APIs from being compromised. You can configure which notifications you are interested in receiving under your profile settings in Distributed Cloud Web App Scanning:
Possible notifications include:
- Receive email when a new vulnerability has been found
- Optionally, ignore vulnerabilities that do not meet your desired CVSS 3.0 score threshold (e.g., 4.0)
- Receive email when a web app has been verified
- Receive email when a new penetration test has started
- Receive email when a penetration test has completed
- Receive email when a new Recon job has started
- Receive email when a Recon job has completed