How Netsparker Hawk Finds SSRF and Out-of-Band Vulnerabilities

Category: Product Docs & FAQS - Last Updated: Thu, 09 Feb 2017 - by Sven Morgenroth

Netsparker Hawk is the new vulnerability testing infrastructure developed by Netsparker. It is used by the Netsparker web application security scanner to detect Server Side Request Forgery (SSRF) and all other kinds of blind, async and second order web application vulnerabilities that require data to be sent over out-of-band channels for them to be detected.

Why Netsparker Hawk?

Most common types of SQL Injection, Cross-site Scripting and similar vulnerabilities can be detected fairly easily. The scanner sends a request to the target web application, and once it receives a response it analyses it to determine if the target is vulnerable or not.

For example a typical SQL Injection vulnerability can be identified from an error message or content changes in the response, or the time the page takes to load. However not all vulnerabilities are this straightforward to detect.

For example if the request sent to the web application is queued and processed by another block of asynchronous code, even if the code that's processing the input is vulnerable to SQL Injection there won’t be any error messages, content differences or time load differences in the response.

To detect vulnerabilities like this the scanner forces the code to communicate back via a different communication channel, hence why the name out-of-band. Netsparker Hawk is the intermediary server, the different communication channel that will receive these signals, and with which the scanner will communicate with to confirm these type of vulnerabilities.

What Vulnerabilities Does Netsparker Hawk Detect?

The above does not apply only to SQL Injection, but to various vulnerabilities that do benefit from out-of-band detection, or can be only detected with this way.  The Netsparker Hawk infrastructure allows the Netsparker web application security scanner to find vulnerabilities such as the ones listed below:

  • Out-of-Band SQL Injection
  • Out-of-Band Remote File Inclusion
  • Out-of-Band Code Injection
  • Out-of-Band Code Evaluation
  • XML External Entity (XXE) Injection
  • Server-side Request Forgery (SSRF)
  • Blind Cross-site Scripting

How Does Netsparker Hawk Work?

Netsparker uses a custom hash in an attack payload to test for SSRF

  1. During the web security scan the Netsparker web vulnerability scanner generates a custom hash and uses it in the attack payload. For example it sends the following request to the target web application:
  1. If the target web application is vulnerable, it tries to resolve the URL by contacting our DNS server.
  1. Upon receiving the request, the DNS server hashes it and sends it to the database server, together with the type of request. For example: d057a29eb9d43456054ff79b421c36a1d0678768bb7b01adae2f8b025add6df8, DNS

Netsparker Hawk vulnerability testing infrastructure

  1. After the scan the Netsparker scanner queries the Netsparker Hawk server, which checks with the database server for the hashed record.
  1. Once the scanner receives the hashed value, it applies the same hashing algorithm to the local data that the DNS server used.

If both the hashes of the scanner and the DNS server match, it means that the target web application is vulnerable and the Netsparker web application security scanner can confirm the vulnerability.

Security and Sensitive Data

By using the above approach none of our servers log any sensitive data about vulnerabilities or the target web application, while at the same time the Netsparker web application security scanner can accurately confirm the vulnerability, thus being dead accurate.


Dead accurate, fast & easy-to-use Web Application Security Scanner