StackHawk

A target application is unable to handle the performance load generated by a scan, resulting in problems such as:

cpu throttling of the host running the application

memory depletion of the host running the application

- this can manifest as false positives for alerts that are based on timing-based attacks; for instance:
  - <a href="https://intercom.help/stackhawk/en/articles/6195479-how-does-the-server-side-template-injection-test-90036-work-in-hawkscan" rel="nofollow noopener noreferrer" target="_blank">Server Side Template Injection test (90036)</a>
  - <a href="https://intercom.help/stackhawk/en/articles/6195498-how-does-the-remote-os-command-injection-test-90020-work-in-hawkscan" rel="nofollow noopener noreferrer" target="_blank">Remote OS Command Injection test (90020)</a>

- this can manifest as a high rate of HTTP <code>429 Too Many Requests</code> errors, which some alerts can interpret as evidence of a vulnerability

- cpu throttling of the host running the application
- memory depletion of the host running the application
- slow response times
  - this can manifest as false positives for alerts that are based on timing-based attacks; for instance:
    - <a href="https://intercom.help/stackhawk/en/articles/6195479-how-does-the-server-side-template-injection-test-90036-work-in-hawkscan" rel="nofollow noopener noreferrer" target="_blank">Server Side Template Injection test (90036)</a>
    - <a href="https://intercom.help/stackhawk/en/articles/6195498-how-does-the-remote-os-command-injection-test-90020-work-in-hawkscan" rel="nofollow noopener noreferrer" target="_blank">Remote OS Command Injection test (90020)</a>
- rate-limiting by the application
  - this can manifest as a high rate of HTTP <code>429 Too Many Requests</code> errors, which some alerts can interpret as evidence of a vulnerability

In order to alleviate performance load on the application, HawkScan can be tuned to:

- send fewer requests in parallel
- inject a wait time between requests

How? By configuring the <code>concurrentRequests</code> and <code>requestDelayMillis</code> parameters in <a href="https://docs.stackhawk.com/hawkscan/configuration/#hawkscan" rel="nofollow noopener noreferrer" target="_blank">hawk.scan</a> in your <code>stackhawk.yml</code> file.

By default (i.e., when you don't specify them in the yml file), these parameters are:

<code>concurrentRequests: 20</code> (20 concurrent requests to the application)

<code>requestDelayMillis: 0</code> (0 millisecond delay between requests)

- <code>concurrentRequests: 20</code> (20 concurrent requests to the application)
- <code>requestDelayMillis: 0</code> (0 millisecond delay between requests)

To tune them, lower the <code>concurrentRequests</code> value below 20, and/or add a non-zero delay to <code>requestDelayMill</code>.

hawk:<br>  scan:<br>    concurrentRequests: 10<br>    requestDelayMillis: 5

Tune this value incrementally between scans and compare the scan results, if possible, to the system and application logging generated by the target application.

Issue

Solution