Spear and shield-Inspiration from blind scan for active security protection
In my recent cooperation with a security scanner vendor, I heard the concept of "blind". At that time, I was very curious. Is this a new security attack method?
The engineer of the other party answered the question that their scanner could initiate specially configured attack requests so that server A containing the vulnerability could execute the commands configured in the request, connect to a server B that has been set up in advance. In this way, the connection record of server B can be used to check whether server A contains specific vulnerabilities, such as illegal command execution and storage-type XSS. Of course, this detection method is powerless for other vulnerabilities that do not exist in the command execution process.
The word blind is not only used in the above scenarios. If you search for the keyword "secure blind" online, most of the results are "XSS blind 」, this concept is not exactly the same as the one I just explained. The online explanation is mostly: Prepare the JS Code. You can fill it out in the input box! That is to say, if you try all the places where you can input (inject), whether the attack is successful depends on luck. However, if any unlucky website has an input box that is not filtered out, it may be a trick! This is "passive XSS blind fight 」. From this point of view, the blind scan is the same as the blind attack. However, the attack-triggered reconnection will not cause any loss to the attacker.
Compared with the previous introduction of "passive blind attacks", the other "active XSS blind attacks" means that the attacker knows that the website adopts the data method, but does not know the background of the data presentation, XSS blind attacks triggered by actively submitting XSS code with real attack functions are more threatening. Some scanners can generate some common malicious attacks through configuration to discover vulnerabilities.
Therefore, although scanning can be seen as an attack, different purposes determine different results. If I design a scanner, scan requests should be designed to be aggressive and harmless. But it is unknown whether the real scanner is designed like this. If the scanner is compared to a spear, in order to avoid potential damage to the business logic of the scanner, the active self-protection product RASP can act as a shield to block the application, monitor the scanner's every action to meet the scanner's challenges!
Why can RASP achieve this?
First, the RASP product has the ability to monitor illegal command execution and XSS injection (of course not limited to these two types). Second, after listening to these two types of attacks, RASP displays the detailed information in the management view for the O & M personnel to identify and take appropriate measures. You can configure RASP to block such malicious requests first, then let the developers fix the vulnerability with ease.