Testing for vulnerabilities

Introduction

The ThreatX four-stage blocking strategy is designed to reduce false positives while preventing malicious behavior from reaching your sites. When Request-Based blocking is enabled, the sensor blocks any standalone malicious request. When Risk-Based blocking is enabled, the sensor issues a series of timed block periods to any entity that exhibits persistent suspicious or malicious behavior, leading to a permanent blacklisting if the behavior continues. During a 30-minute Block period or while an entity is blacklisted, all requests from that entity are blocked from reaching the site.

When testing for vulnerabilities against your internal applications, the IP addresses of your penetration testers should be added to the whitelist before testing, and removed after testing is complete.

When testing for vulnerabilities in the sensor, the IP addresses of your penetration testers should not be added to the whitelist.

To add an IP address to the whitelist:

  1. Navigate to Settings  iWAF.

  2. In the iWAF Settings page, click the Whitelisted IP addresses tab.

  3. Click the Add Entry button.

  4. In the Add Whitelist Entry screen, enter the IP address.

  5. Enter the reason for adding the IP address.

  6. Set the Expiration. Typically, you choose Never but you do need to remove the address from the list when done testing.

  7. Click Submit.

When done testing, remove the address by opening the Whitelisted IP addresses tab and click the Remove button in the entity’s row.

Recommended Tools and Methodologies
Scanners

Scanners, such as ZAP and Burp, can be a useful tool for testing the ThreatX Request and Risk-based blocking capabilities. However, they are likely to be blocked quickly and sent to the blacklist.

Leverage multiple IP addresses

When attacking the ThreatX sensor with a single IP address, that IP address accumulates risk and is delivered a series of Risk and Request-Based blocks before being placed on the blacklist. The entity associated with that IP address can be removed from the blacklist, but the associated Risk Level from that entity does not reset to “0” upon removal. An entity’s Risk Level can be reduced over time by demonstrating a reduction in suspicious behavior or malicious attack attempts. Try leveraging several IP addresses or ranges when pen testing the ThreatX sensor.

You can see when the IP address is blocked from the ThreatX user interface. In the following screenshot, the Gray requests were blocked from reaching the application. The White request was allowed through as it did not contain a standalone, viable attack or high-risk behavior.

Penetration Test