This release adds a number of new scan checks based on our talk today at Black Hat, Cracking the lens: targeting HTTP's hidden attack surface.

The new scan checks use various techniques aimed at inducing vulnerable applications and infrastructure to route requests to a different destination. This can lead to serious attacks, for example SSRF against the application server itself or other infrastructure components. The research behind the new capabilities quickly netted us over $30,000 in bug bounty payouts, and demonstrates the huge power of OAST (out-of-band application security testing).

The novelty of the new checks lies not so much in the payloads themselves as where they are placed. The new scan checks send Collaborator-based payloads in the following locations:

  • The HTTP Request-Line (where the requested URL normally appears).
  • The server name specified in the SSL SNI extension.
  • The server specified in a CONNECT request.
  • The Host header.
  • Various other common and not-so-common request headers.

An example of a reported vulnerability is shown below. For full details of these and various other techniques, see today's blog post.