Out-of-Band Validation (OAST)
How WASViking confirms blind vulnerabilities with its own out-of-band collaborator, and how to review captured interactions in the portal. No third-party data path.
Some of the most serious vulnerabilities never show up in the response. A blind SSRF, a blind XXE, or a blind command injection runs on the server and leaves the page looking normal. The only proof is that the target reached out to somewhere it should not have.
WASViking® Out-of-Band Validation captures that proof. When a payload makes the target call back to a server we control, the callback is recorded and tied to the exact scan, target, and parameter that caused it. A finding that would otherwise be a guess becomes a confirmed result with evidence behind it.
How it works
Every scan that runs a blind-class check issues a unique token from the WASViking® collaborator. The token is embedded in the payload, either in an HTTP URL or a DNS hostname, and the request goes out through the normal scan path. When a Sentinel agent is in play, the probe travels through the same tunnel as the rest of the scan, so internal targets are covered without any extra setup.
If the target processes the payload, it contacts the collaborator. That interaction is written down with its protocol, source address, and timestamp, then matched back to the token. The injection-class analyzer reads the result and promotes a confirmed finding into the same Findings workflow as every other result.
The collaborator is reached on a WASViking® operated address and listens for both HTTP and DNS callbacks. The unique token travels inside the callback itself, so every interaction is tied back to the exact scan, target, and parameter that produced it, and scoped to your tenant.
Classes it confirms
| Class | What the callback proves | CWE |
|---|---|---|
| Blind SSRF | The server fetched an attacker-supplied URL. | CWE-918 |
| Blind XXE | An XML parser resolved an external entity and called out. | CWE-611 |
| Blind RFI | A remote file include reached an external host. | CWE-98 |
| Blind SSTI | A template engine evaluated an injected expression that triggered a request. | CWE-1336 |
| Blind command injection | The host ran an injected command that produced a network callback. | CWE-78 |
Where your data stays
This is the part that matters for regulated teams. The collaborator is built and operated by WASViking®, inside the platform you already trust with your scans. Validation data does not pass through a third-party hosted service, and interaction records are scoped to your tenant.
For organizations under LGPD, GDPR, or sector rules like BACEN, that single data path is often the difference between a control you can sign off on and one you cannot.
Reviewing interactions in the portal
Captured callbacks are listed under Inventory > Out-of-Band (OAST). Each row is one interaction with the context needed to act on it:
| Column | Meaning |
|---|---|
| Class | The vulnerability class the probe was testing, with the technique used. |
| Severity | Severity assigned to the confirmed issue. |
| Target | The scanned URL the probe was sent to. |
| Parameter | The input that carried the payload. |
| Protocol | Whether the callback arrived over HTTP or DNS. |
| Source IP | The address that contacted the collaborator, usually the affected host itself. |
| When | Timestamp of the interaction, in UTC. |
The tiles at the top summarize the period at a glance: total interactions, how many tokens were probed, how many distinct vulnerability classes were seen, and the most frequent class. A blind finding always links back to the interaction that proves it, so a reviewer can trace a result from the Findings list down to the raw callback.
Privacy and noise control
The collaborator is deliberately quiet. It only records callbacks for tokens it issued, so background internet noise hitting the wildcard address is dropped rather than stored. Sensitive request headers such as authorization, cookies, and API keys are stripped before an interaction is written, so a callback record never becomes a place where a target's secrets leak.