All users have the option to add Authenticated web-app scanning to their subscription – permitting scanning behind the login page to identify weaknesses on the authenticated pages of web-app(s).
It’s worth noting that all plans – by default – include licenses that scan internet-facing targets from an unauthenticated perspective. This is useful for finding security misconfigurations or known vulnerabilities that a hacker could exploit from the internet – be it manually, or via an automated tool such as 'Autopwn'. (For reference, the WannaCry ransomware randomly exploited systems all over the internet to spread its malware.)
What are the benefits of authenticated web-app scanning?
Some of the most critical functionality in an application exists behind the login page: the ability to add data to your account; edit data; delete data; upload files and interact with other users. As a result, a large percentage of the attack surface of an application can exist on the authenticated pages and if you’re not scanning them, you’re unaware of the potential risk they pose.
Without Authenticated Web Application Scanning you're only seeing a subset of your total weaknesses – which could leave you, your application and the end-user exposed if exploited.
Below you'll find further benefits of scanning authenticated layers of your web-app:
The functionality available to authenticated users is often far more sensitive and scanning it plays a crucial role in ensuring that your web-application is as secure and robust as possible.
Developers can rest assured that updates won’t pose a threat to security when released.
You can prove to auditors, third parties and customers that you take security seriously.
By reducing the likelihood of a compromise, you reduce the associated costs, including:
Downtime of your application (either from a denial of service/ransomware impact or from the incident response process)
Loss of business from customers/users that are spooked
Impact to reputation
Financial and time cost of going through an incident response process
Financial impact from regulators/Information Commissioner Office
Cyber insurance premiums
What does Authenticated web-app scanning cover exactly?
When using an Authentication license, your system will be checked for all the big web application vulnerabilities, including:
OS command injection
Cross-site scripting (XSS); persistent/stored, reflected and DOM-based XSS
SQL injection; against multiple types of databases
NoSQL injection; specifically against MongoDB
Server-side code injection
Java serialisation weaknesses
Buffer and integer overflows
What type of attacks can AWAS prevent?
Malicious authenticated users, especially if your app allows anyone on the internet to sign up and login to your application.
Initial access for large compromises. An example might be successfully identifying an OS command injection vulnerability and using it as a beach head to launch further attacks
Information disclosure/ransomware. This describes an attacker who can successfully extract critical business information from a backend database so they can ransom the data, post it on forums and have others bid for it.
Proxy attacks are when an attacker can find a vulnerability that when exploited, impacts other users or someone who accesses a link to the application, such as cross-site scripting (XSS) or cross-site request forgery (CSRF). The attacker can then exploit third-parties using the trust associated with the compromised web application/domain
How often should I use AWAS?
This will depend on your organisation, your risk tolerance, the type of applications that you have configured, and the rate at which those applications are changing.
If you’re actively releasing updates for an application, then you should be scanning every time there is a change to logic/workflow within their application.
If the application doesn’t change frequently then scanning it once or twice a month should be enough to ensure that the results haven’t gone stale and there hasn’t been any drift.
Ultimately, the license allows you to scan the application whenever you like, all that happens is that the 30-day license consumption is reset – which is a very small price to pay for peace of mind.