Detecting conventional vulnerabilities is a straightforward process: you send a request and analyze the response, and the main challenge is crafting the right request. But what about more advanced vulnerabilities that don’t result in an immediate response? Conventional vulnerability scanners won’t find them, but Netsparker has Hawk – a dedicated module that allows the scanning engine to detect and report blind, asynchronous, and second-order vulnerabilities.
Attacks like server-side request forgery (SSRF) are difficult to test automatically because they are executed indirectly, so you need a separate communication channel to observe the results. The same is true of asynchronous attacks like timing-based SQL injection, where you need to analyze multiple responses with varying reaction times, or stored cross-site scripting (XSS), where the malicious script only runs when a user opens a specific page. Netsparker covers all these cases by using its own DNS responder to provide out-of-band communication for the scanner.
When determined attackers can’t find any obvious entry points into your website or application, they will start trying more sophisticated and less direct methods. To gauge the effectiveness of such indirect attacks and to exfiltrate information, cybercriminals often rely on DNS queries, since it’s not realistic for sites to block or filter all DNS traffic. Netsparker Hawk simulates the same DNS-based communication channel during vulnerability testing, allowing the scanning engine to identify even these advanced attack vectors – and if the scanner can do it, so can real-life attackers.
Testing for out-of-band vulnerabilities manually takes experience, resources, and – most of all – time. This is especially true of timing-based attacks, where a single penetration attempt may be spread out over many hours and might not even be successful. For stored attacks, a payload might only be triggered when a specific user opens a specific page, making it impractical to manually go through each possible combination. Netsparker automates the vulnerability testing process for all these attack types to maximize test coverage while reducing the workload of your security engineers.
Even with indirect attack vectors, Netsparker still uses its Proof-Based Scanning™ technology to safely exploit vulnerabilities and deliver proof that the issue is real. The out-of-band communication channel provided by the Hawk module was built with data confidentiality in mind, so only secure hashes are exchanged to signal that a specific test was successful – no customer data ever goes through the DNS responder. For truly air-gapped environments where not even DNS requests can be sent to the public network, you can set up Netsparker Hawk locally to get all the benefits of out-of-band vulnerability testing without any Internet connectivity.