Scanning non-public web applications with Acunetix Online

The Software Development Life Cycle (SDLC) is full of challenges — developers have strict deadlines for creating functional, scalable, maintainable and testable code. What’s more, that code needs to be secure.

Acunetix Online among other features, acts as an IP vulnerability scanner and can automatically test any Internet-facing website or web application for thousands of vulnerabilities. However, since automated security testing often needs to be done during the development process, or in a staging environment, those environments need to be made accessible via the Internet to Acunetix Online in order for the website or web application to be tested.

While opening up your entire staging environment to the Internet is possible, it’s not recommended. In this post we’ll describe a few methods you can use to allow traffic from scanners.acunetix.com by either port forwarding specific web applications to be Internet accessible, or, whitelisting the scanners.acunetix.com domain/IP address to only allow traffic from there.

Small/Medium Business (SMB) Routers

Small/Medium Business (SMB) routers with a graphical user interface can be easily used to forward incoming data from scanners.acunetix.com to the application server.

Most SMB routers with a graphical interface will have a web interface allowing them to be configured for port-forwarding. Port forwarding allows you to forward a network port from one network node to another. This technique would allow Acunetix Online to reach a port on a private IP address (inside a LAN) from the outside using a NAT-enabled router.

In the example above, any inbound TCP traffic on port 6112 will be forwarded to the IP address 192.168.1.13. With the above completed most SMB’s using this option will need to combine this with a Dynamic DNS service.

Dynamic DNS

A dynamic DNS service such as Dyn Remote Access (DynDns Pro) can be used to route traffic to a domain of your choice (for example — example.dyndns.com). This is then resolved to the staging server in order to allow the web application to be accessed, and therefore, scanned.

Something to keep in mind when using a dynamic DNS service is that this may need to be used in conjunction with firewall rules, as the firewall will have to allow inbound traffic to the selected port before the forwarding routing can take place.
Once an account is created and the Dynamic DNS service configured, the Acunetix OVS scan target can be set to https://yourname.dyndns.com, for example.

The Dynamic DNS provider will then resolve the scan target to the correct IP address by having the router itself directly configured to make use of a dynamic DNS service (most SMB routers have out-of-the-box dynamic DNS support).

Alternatively, if your SMB router does not support dynamic DNS out-of-the-box, most dynamic DNS services will provide a small client be installed onto the machine to be accessed. When installed, this client communicates with the dynamic DNS service and informs it of the current IP address of the machine.

Secure Tunnel

A secure tunnel can be created through a variety of services such as ngrok, which uses a small command line based application. The application sends a request for a secure connection through the firewall over a randomly assigned port, which will in turn automatically allow traffic back in on that same port. The application then gets a response back from the ngrok server which is when a secure encrypted tunnel is created. (https://yourapp.ngrok.io)

After registering for an account, download and run the application. Next, simply run the following command to start ngrok on a port of your choice. In this example, the port chosen is 8080, but this can be changed to any other port you want to use.

ngrok http 8080

Once you start ngrok, you will be provided with a domain name which you can browse to from the public Internet.

Microsoft Azure

If you are using Microsoft Azure to host your staging environment, you will need to configure inbound and outbound traffic security rules through a network security group in order to control permissions which manage access restrictions to your staging environment in order to allow scanners.acunetix.com access to a web application.

In order to create a network security group in Microsoft Azure, select the ‘New’ button on the left-hand-side menu, this should display a list of resources you can create. Select Networking > Network security group.

You will then be presented with a description of the resource. Ensure that the deployment model is set to ‘Resource Manager’ and click the ‘Create’ button.

The wizard will then ask you to provide the network security group with a name, subscription, resource group and a location.

The new network security group will take a few seconds to create. As soon as it has finished setting itself up, you will be presented with a screen which allows you to modify the network security group’s settings, this is where we’ll need to add our configuration to allow access to Acunetix Online.

The process described below will have to be gone through twice, once for an inbound and once for outbound security rule.

Select Inbound security rules > Add. This will reveal a new panel, allowing you to configure the new security rule. Configure the rule with the following settings.

1. Provide an appropriate name for the rule
2. The Priority field can remain at it’s default value
3. Set the Source to a CIDR block with a Source IP address range of 54.208.242.36/32. This is the IP address used by Acunetix Online for all scans. The /32 CIDR means that we are only allowing this single IP address through.
4. Set the Protocol to Any
5. Set the Source port range to ‘ * ’ (without quotation marks). This means that the rule will allow connections on all ports. This is important if you are running perimeter network scans with Acunetix Online.
6. Set the Destination to Any
7. Set the Destination port range to ‘ * ’ (without quotation marks). This means that the rule will allow connections to all ports
8. Set the Action to Allow
9. Select the OK button to confirm

Once both rules are in place, you should have two security rules within the network security group, one for allowing traffic inbound (from Acunetix Online), the other for allowing traffic outbound (to Acunetix Online).

You may then assign your security group to a new, or existing virtual machine. The screenshot below shows us assigning the security group during the creation of the virtual machine.

For further information about network security groups in Micorsoft Azure, visit the official documentation. Further information about network security groups is also covered in this blog post by Microsoft.

Amazon AWS EC2

If you are using Amazon Web Services (AWS) to host your staging environment, you will need to configure inbound and outbound traffic security rules through a network security group in order to control permissions which manage access restrictions to your staging environment in order to allow scanners.acunetix.com access to a web application.

In order to create a network security group in Amazon AWS, select ‘EC2’ from the main AWS dashboard (firstmost icon). This will take you to the main EC2 configuration dashboard.

Once in the main Amazon AWS EC2 dashboard, navigate to Network & Security > Security Groups from the left-hand-side menu. You should now be presented with a list of Security Groups you have set-up. By default, Amazon AWS creates a Security Group for you called default. You may either choose to edit the Security Group, or create a new one.

In order to create a new Security Group, select the ‘Create Security Group’ button. Next, specify a name and description for the Security Group.

You only need to create an Inbound Security Group rule since by default, the Security Group is configured to allow all outbound traffic.

Configure the rule with the following settings.

1. Set Type to All Traffic
2. Set the Source to Custom IP to an address range of 54.208.242.36/32. This is the IP address used by Acunetix OVS for all scans. The /32 CIDR means that we are only allowing this single IP address through.
3. Select the Create button to confirm

Once the Security Group is set-up, you may then assign your security group to a new, or existing EC2 instance. The screenshot below shows us assigning the security group during the creation of an EC2 instance.

For further information about Security Groups in Amazon AWS, visit the official documentation.

The examples above offer several alternatives for scanning a staging environment with Acunetix Online. As security environments vary across organizations the notes provided are guidelines for common environments.

THE AUTHOR

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.