Hackerguardian (Qualsys) Scan 'validation' block

Answer these questions to help the Community help you with Security questions.

What is the domain name?
webpoint.us

Have you searched for an answer?
Yes, but not seeing any particular advice on how to resolve it.

Please share your search results url:

When you tested your domain using the Cloudflare Diagnostic Center, what were the results?
Mentions issues with DNSSEC, DS record configuration, HTTPS status, and mixed content.

Describe the issue you are having:
I’m trying to run a scan through HackerGuardian for PCI compliance and keep getting interference errors despite adding allow and bypass rules. The traffic being blocked is source ‘validation’ and ruleId ‘sanity-shellshock’.

What error message or number are you receiving?
From Hackerguardian: “Service name: Unknown - Possible Scan Interference on TCP port 443.”

What steps have you taken to resolve the issue?

  1. I’ve added bypass and allow rules for their ips.

Was the site working with SSL prior to adding it to Cloudflare?
Yes.

What are the steps to reproduce the error:

  1. N/A

Have you tried from another browser and/or incognito mode?
N/A
Please attach a screenshot of the error:

The scanner is facing a Challenge and thus, it’s failing.
What bypass rules have you tried applying?

4 Likes

Are you saying that you want Cloudflare to allow a Shellshock payload through? Surely the scanner would be happy that you’re not allowing exploits from 2014 through to your origin.

You can’t disable validation checks - you can pause Cloudflare and allow the scanner (and anyone) to reach your origin directly if necessary.

Sigh, I certainly agree. Our old scanner Trusted Site was happy with this outcome. Here’s the message from HackerGuardian:

Threat:

Possible scan interference detected.

A PCI scan must be allowed to perform scanning without interference from intrusion detection systems or intrusion prevention systems.
The PCI ASV is required to post fail if scan interference is detected.

The goal of this QID is to ensure that Active Protection Systems are not blocking, filtering, dropping or modifying network packets from a PCI Certified Scan, as such behavior could affect an ASV's ability to detect vulnerabilities. Active Protection Systems could include any of the following; IPS, WAF, Firewall, NGF, QoS Device, Spam Filter, etc. which are dynamically modifying their behavior based on info gathered from traffic patterns. This QID is triggered if a well known and popular service is not identified correctly due to possible scan interference. Services like FTP, SSH, Telnet, DNS, HTTP and Database services like MSSQL, Oracle, MySql are included.

-If an Active Protection System is found to be preventing the scan from completing, Merchants should make the required changes (e.g. whitelist) so that the ASV scan can complete unimpeded.

-If the scan was not actively blocked, Merchants can submit a PCI False Positive/Exception Request with a statement asserting that No Active Protection System is present or blocking the scan.

Additionally, if there is no risk to the Cardholder Data Environment, such as no web service running, this can also be submitted as a PCI False Positive/Exception Request and reviewed per the standard PCI Workflow.

For more details on scan interference during a PCI scan please refer to ASV Scan Interference section of PCI DSS Approved Scanning Vendors Program Guide Version 3.1 July 2018 .For more details about this QID, please review the following Qualys KB article:

Impact:

If the scanner cannot detect vulnerabilities on Internet-facing systems because the scan is blocked by an IDS/IPS, those vulnerabilities will remain uncorrected and may be exploited if the IDS/IPS changes or fails.
Solution:

Whitelist the Qualys scanner to scan without interference from the IDS or IPS.

Result:

Service name: Unknown - Possible Scan Interference on TCP port 443.

If I’m interpreting this correctly, the only option would be to submit a false positive? But that feels odd.

I’ve added the Scanners IP blocks to a WAF Allow and WAF Bypass Rule:


I can confirm the vast majority of the scanner’s requests are hitting those rules, but a small percentage are not.

Can you confirm that you don’t have SBFM or BF enabled?
Do you have OWASP rules enabled?

Can you show the blocked request? What does the dashboard show?

2 Likes

We did upgrade to the pro plan a while back and I may not have realized the nuance change in the bot mode. However, I think I have everything set correctly to ‘disable’ the bot fight mode, minus ‘JavaScript Detections’:


Here’s part of the OWASP rules, but we have sensitivity ‘Off’:

Here are the events. Most with cross-site scripting attacks:


{
  "action": "block",
  "clientASNDescription": "SUN-JAVA",
  "clientAsn": "6142",
  "clientCountryName": "US",
  "clientIP": "64.39.98.186",
  "clientRequestHTTPHost": "",
  "clientRequestHTTPMethodName": "GET",
  "clientRequestHTTPProtocol": "HTTP/1.1",
  "clientRequestPath": "/wp15/Transactions/Order/Donate.wp",
  "clientRequestQuery": "",
  "datetime": "2022-08-03T12:43:17Z",
  "rayName": "734f23576e5a52fb",
  "ruleId": "sanity-shellshock",
  "rulesetId": "",
  "source": "validation",
  "userAgent": "() { test;}; echo; QSS_1=A5B2C3 QSS_2=c3h7l9 QSS_3=P8C6h4 QSS_4=$QSS_3:QQ:$QSS_1:qq:$QSS_2 && echo $QSS_4",
  "matchIndex": 0,
  "metadata": [],
  "sampleInterval": 1
}

For validation blocks, submitting a false positive to your scanner or pausing Cloudflare is the only option.

1 Like

Hackerguardian’s support replied:
“If you are getting “Possible Scan Interference” and the scanner IPs are already whitelisted, this can be reported as false positive, and we will accept it.”

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.