Automated penetration tests are a popular and effective method to identify exploitable vulnerabilities for an application, but often suffer capability gaps that are difficult to overcome with current tools. The most significant problem is that an application’s attack surface is often not fully enumerated prior to testing, and consequently part of that attack surface goes unexercised.
Currently, unlinked endpoints must be identified by manual code review, which is a time-consuming—and therefore expensive—process.
The Attack Surface Detector, developed under the ASTAM program, is a pair of plugins for widely adopted DAST tools, Portswigger’s Burp Suite and OWASP ZAP (Zed Attack Proxy). These plugins will automatically examine the application’s source code via static analysis, finding hidden or unlinked endpoints in the process, and further identifying their optional parameters and data types, which most DAST scans will miss. This greatly broadens the visible, testable portions of the application’s attack surface, providing the basis for more thorough penetration testing. This newly enumerated surface can then be spidered and tested with Burp Suite or OWASP ZAP, or manually pen-tested. In addition, a command line interface (CLI) version of the Attack Surface Detector was developed that provides the ability to detect endpoints without pointing at an active server or source code. Endpoints are output to a JSON file that can then be imported into Burp and ZAP.