There is a common tendency that the typical DAST scanner finds the easiest to locate known security vulnerabilities. If you need to find vulnerabilities that are more difficult to detect – you need the help of security experts. But what if the DAST product could behave more like an automated hacker?
The Security Research team at Detectify set themselves up to solve this problem and fundamentally upgrade the way we do fuzzing in our vulnerability scanner, Deep Scan. The team’s focus was to enhance the fuzzing components to discover vulnerabilities not easily found with conventional automated scanners, taking inspiration from how a penetration tester or experienced ethical hacker conducts their testing.
Ok, but what is fuzzing?
Fuzz Testing or Fuzzing is a security testing technique that relies on manipulating input data with special or even random values called FUZZ into a software system to discover coding errors and security loopholes.
“As web applications get more advanced with time, DAST scanners need to get more advanced too. Deep Scan can test more website technology types with the new fuzzing engine, typically associated with modern Single Page Applications. It can deliver more customer findings and allow finding interesting critical vulnerabilities,” says Tommy Asplund, Product Owner at Detectify.
The team searched for security flaws outside of the generic testing and used a more explorative approach to make the new fuzzing engine work better and smarter.
“We implemented the new way of fuzzing because we aimed to go beyond what was possible with a DAST scanner to find high severity vulnerabilities that other scanners can’t find,” adds Tommy Asplund.
Some facts behind the new fuzzer
- The new fuzzing engine reaches into new places, expanding our test range, and finds new vulnerability classes.
- The new fuzzing engine co-powers Detectify Deep Scan, supplementing existing tests.
- Instead of doing static testing and checking for expected responses, Deep Scan is enhanced black-box testing and we expect more creative results.
- Deep Scan tests for known vulnerabilities beyond the OWASP Top 10
Early results influenced by the new fuzzer
Our early data shows that since the launch of the new fuzzer, around 8% of our customers found more medium or high severity vulnerability findings. 15% of all new high severity security vulnerability findings were generated by the improved fuzzing engine. As the number of additional high severity vulnerabilities increases daily, we’re confident that the new fuzzing engine has a real impact on delivering more excellent value to our customers.
“Having early evidence that the new fuzzer is generating more high severity findings for our customers is a happy moment for our teams because we see the real impact we created. When customers fix significant vulnerabilities, their application becomes more secure, meaning we played a part in making the internet more secure, and that’s our mission at Detectify,” says Tommy Asplund.
In summary: what’s in it for you?
Detectify users will start to see new vulnerabilities that wouldn’t have been possible to detect before using an automated app security scanner. You may even find vulnerabilities that you thought were fixed. This allows you to work on things that matter, and save time and resources spent on fixing critical vulnerabilities in your web applications.