How Invicti Hawk finds vulnerabilities
Hawk is the infrastructure the Invicti web application security scanner uses to detect Server Side Request Forgery (SSRF), and all other kinds of blind, asynchronous and second order vulnerabilities that require data to be sent over out-of-band channels.
For more information on what Invicti Hawk does, why it was built, and the types of vulnerabilities it finds, watch as Invicti’s former CEO Ferruh Mavituna talks about it on Paul’s Security Weekly #506. Ferruh explains in detail how Hawk can find out-of-band vulnerabilities and why it uses DNS lookups to determine if the target web application is vulnerable.
Why use Invicti Hawk?
Most common types of SQL Injection, Cross-site Scripting and similar vulnerabilities can be detected fairly easily. The scanner sends a request to the target web application. Once a response is received, it analyses this response to determine whether the target is vulnerable. For example a typical SQL Injection vulnerability can be identified from an error message or content changes in the response, or the time the page takes to load.
Not all vulnerability detection, however, is as straightforward.
- For example, if the request sent to the web application is queued and processed by another block of asynchronous code – even if the code that’s processing the input is vulnerable to SQL Injection – there won’t be any error messages, content differences, or time load differences in the response.
- To detect vulnerabilities like this, the scanner forces the code to respond via a different communication channel (‘out-of-band’).
- Invicti Hawk is the intermediary server (the different communication channel that will receive these signals). The scanner communicates with it to confirm these types of vulnerabilities.
What vulnerabilities does Invicti Hawk detect?
Invicti Hawk also finds vulnerabilities that benefit from out-of-band detection, or can be only detected with this way, including the following:
- Out-of-Band SQL Injection
- Out-of-Band Remote File Inclusion
- Out-of-Band Code Injection
- Out-of-Band Code Evaluation
- XML External Entity (XXE) Injection
- Server-side Request Forgery (SSRF)
- Blind Cross-site Scripting
- Log4j vulnerability
How does Invicti Hawk work?
This is how Invicti works.
- During a web security scan, Invicti generates a custom hash and uses it in the attack payload. For example, it sends the following request to the target web application:
https://example.com/fetch?id=13&url=rc0shnxclpkdrp9oy-nibgsbz7u5ibyjddtzp0rezw4.r87.me/r/
- If the target web application is vulnerable, it tries to resolve the URL by contacting our DNS server.
- On receiving the request, the DNS server hashes it and sends it to the database server, together with the type of the request. For example:
d057a29eb9d43456054ff79b421c36a1d0678768bb7b01adae2f8b025add6df8, DNS
- Next, the Invicti scanner queries the Hawk server, which checks with the database server for the hashed record.
- Once the scanner receives the hashed value, it applies the same hashing algorithm to the local data that the DNS server used. If both the hashes of the scanner and the DNS server match, it means that the target web application is vulnerable. Invicti can confirm the vulnerability.
Security and sensitive data
Invicti’s highly accurate approach to finding and confirming vulnerabilities means that we are able to confidently confirm vulnerabilities. However, while using this approach, none of our servers log any sensitive data about vulnerabilities or about the target web application.