June 9th 2020
Learn how to leverage the Validate Finding feature of StackHawk to find and fix security bugs faster.
As a front end developer, I’ve scoured countless pages of documentation and StackOverflow replies seeking the answer to a problem I’m trying to solve. When the issue stems from a network request or other type of data transfer, these resources have suggested using curl to execute your request. When fixing security vulnerabilities, executing a request via curl allows you to more quickly find the part of the codebase that needs to be fixed.
Overview of curl
Nearly everyone with access to a command line interface can use curl, regardless of operating system (if you’re a Windows developer, many
workflow tools, like Git for Windows, will have curl built in). This makes it an excellent broadly applicable tool to help developers regardless of language, framework, or type of application they are supporting.
Given the widespread use and power of curl commands, we can use the
data provided from StackHawk to recreate a potential attack on our
application. StackHawk is an application security testing tool, scanning
your application to find security bugs.
After a StackHawk scan is complete, you can jump into the web application to take a look at the list of findings. The UI gives details of the request and response payloads for a particular finding. When you have a security bug, the newly released Validate button helps you fix the problem faster.
Clicking on the Validate button will generate the curl command used to identify the bug. This curl command will have the correct HTTP verb, иheaders and data fields to recreate the potential attack. By running this curl command in debug mode in your IDE, you can step through the requests to identify where the bug lives in code. With this, you can quickly fix the vulnerability and get back to building software.
At StackHawk, we aim to empower developers to own their application
security through knowledge and tooling, like the ability to recreate a curl attack from within our platform. Using this knowledge, you can protect your input fields, write tests against malicious data requests and have the peace of mind knowing how your web application can be attacked.