Vulnerability scanning can be like a black box at the best of times. You put your targets in, run a scan, and your results come out. But what happen in-between “what are we actually testing your systems for?"

With so many vulnerabilities out there, it's impossible to list them all, but this article should give you an understanding of the different types of weaknesses we can detect, and how we do it.

Common mistakes & configuration weaknesses

You'd be surprised at how easy it is to take a piece of ‘secure’ software or hardware (like a web-server, or an office router), and inadvertently configure it in such a way that it becomes vulnerable to attack.

Some of the most damaging breaches over the last few years have come about because of simple mistakes such as leaving code repositories or databases full of customer info exposed to the internet.

It may sound like a tall order but hardening your systems against the perils of the internet needn’t be a major cause for concern – especially if you’re using a scanner like Intruder. We have thousands of checks for these kinds of mistakes and specifically tailor the results to focus on high-risk issues affecting internet-facing systems – giving you visibility of the issues that need to be fixed asap and reducing the likelihood that an attacker will find them first.

Missing patches

Patch management is a fundamental part of keeping your digital estate secure and applies to all companies, no matter the size. The infamous Equifax breach was a result of not applying patches quickly enough.

Intruder’s scanning engines can detect frameworks, hardware devices and the version of software components into the thousands, using various methods such as ‘banner grabbing’ (where software reports its own version) or ‘fingerprinting’ (which looks for certain behaviours).

Our Pro subscription takes this one step further with agent-based scanning, which is even better at determining which versions of software are being run on internal devices.

Application bugs

Application bugs have been known about for decades, but still account for a large proportion of breaches. One type of application weakness (known as SQL Injection) was the cause of the famous Talk Talk breach.

The types of application weakness that Intruder checks for includes, but isn’t limited to: SQL Injection, Cross-Site Scripting, XML Injection. Attackers can use these weaknesses to gain access to your systems and information and then modify them to cause maximum damage.

For those with Authentication licenses, we also check for vulnerabilities behind the login page (the authenticated layers of a web-app) – covering the majority of the CWE Top 25 and all but one of the OWASP Top 10 vulnerabilities. For a full list of the checks that we run as part of Authenticated web application scanning, please head to this article.

Attack surface reduction

Less obvious than the other categories, but still important is attack surface reduction. In short, this exercise is about finding unnecessary services that your systems expose to the internet and removing them in an effort to curb what a hacker could potentially exploit.

A perfect example of this would be the WannaCry ransomware, which became infamous for its exploitation of a seemingly innocuous piece of software. A Microsoft Windows service designed for file sharing and printers on local networks was accidentally exposed to the internet, resulting in a virulent spread across the internet and untold damage.

Encryption weaknesses

The internet relies on encryption for almost everything to do with security, without it there would be no online banking for example; but encryption isn't flawless and frequently weaknesses are discovered in algorithms previously thought secure.

It’s for that reason that Intruder checks for all the latest known encryption weaknesses, including SSL/TLS and VPN encryption weaknesses.

Do all checks get executed all the time?

All checks are enabled, but this does not mean that all checks will be executed against every service that your systems has listening on the internet. Instead, vulnerability scanners will 'fingerprint' the service running on that port and execute checks for that service only (there’s little value in executing a check for a different type of service other than the one that’s listening on your system).

See and search all checks

From your dashboard you can see the number of checks performed on your targets (highlighted in pink).

This number will vary depending on the plan you are on:

  • Essential customers will see around 17,000 checks (external checks only)

  • Pro/Vanguard customers will see around 140,000 (internal and external checks)

  • For anyone with authenticated licences (required to scan the authenticated layers of your web application) the number will increase by 44.

If you click the checks button, you will be taken to the Checks Page:

Here you can see all of the checks that your targets will be evaluated against.

On the left hand side you'll see an icon which denotes the scanning engine from which the check originates (OpenVAS for Essential users, Tenable for Pro/Vanguard users and OWASP ZAP for Authenticated Scanning checks).

At the top, you can use the drop-down menus to filter by CVSS Rating, Check Type, as well as search by CVE or Check Name

If you click on any of those checks, you'll be taken through to the 'Checks Detail Page':

This shows useful information about the check including the date of publication; associated CVEs; the check type and the CVSS rating.

Underneath the check information will be a list of your targets that have been scanned for this vulnerability. This will also include the date that this target was last scanned (shown in orange).

The target's status for each check (Failed or Passed) will be accurate as of the last scan that was run on it and the buttons at the top of the list of targets can be used to filter the results by status (Failed/Passed)

It is also worth noting that if this check only applies to one type of target (e.g. Internal/External) then those targets that it is not applicable to will be shown at the bottom of the list with the following note in the Last Scan column.

Did this answer your question?