About Active Verification

Background information on one of the Seeker's key features.

What is Active Verification

Active Verification is a mechanism implemented by Seeker that greatly improves the accuracy of vulnerability detection by eliminating false positive detections. When a vulnerability is detected, Seeker verifies it by generating and then analyzing a similar HTTP request with parameter values specially tailored for verification. If this request is also found vulnerable, the original detection is tagged as Seeker-verified.

Note: Not all of the checkers support Active Verification.

Benefits

Active Verification benefits customers in a number of ways:

  • Increased confidence in results

    Active Verification has a rate of false positives of up to 5%, which reduces the amount of cycles spent by developers and/or security experts on validating results, and thus facilitates the adoption of Seeker by the teams.

  • Increased testing coverage of the application

    Active Verification enables Seeker to additionally test parameters, which can potentially discover new code paths in the application and thus increase the test coverage.

  • Easier prioritization of work

    Seeker's Verification can add another layer of prioritization, guiding the teams to remediate items that are potentially exploitable today.

How it works

  1. When an Agent detects a potential vulnerability in a request, it doesn’t send the detection immediately to the server. Instead, it creates a duplicate request with parameter values specially tailored for verification, and sends it to the monitored application via its own local HTTP client.
  2. The duplicate request is analyzed by the Agent.
    1. If a tailored parameter value reaches the same sink as in the original request, the detection is tagged as Seeker-Verified.
    2. Otherwise, the checker might perform additional verification checks with different tailored values.
    3. If any of the tailored values does not reach the same sink, the checker tags the detection as Seeker-Invalidated.
    4. If for some reason the duplicate request cannot be sent, for example, when a security one-time token expires, the detection is left untagged.
  3. At this point, the Agent sends the detection to the server.

System tags

Active Verification automatically applies the system tags to vulnerabilities on the following events:

  • Seeker-Active-Inspection: the vulnerability has been detected by the active inspection of unused or empty parameters.
  • Seeker-Cross-Project: the vulnerability has been detected by tracking unsafe data across projects.
  • Seeker-Fix-Confirmed: the previously detected vulnerability has been confirmed by the Active Verification mechanism as fixed in a new version of the application.
  • Seeker-Invalidated: the vulnerability has been invalidated by the Active Verification mechanism.
  • Seeker-Verified: the vulnerability has been verified by the Active Verification mechanism.
  • Tracked: a ticket is created for the vulnerability in a bug tracking system either manually or automatically.

Configuration options

For each project, administrators can configure Active Verification for the following:

  • Applying verification rules to unused and empty parameters.
  • Sending requests that potentially involve data change operations.
  • Excluding some parts of your application from Active Verification.

For detailed information, see Configure Active Verification.