Pentesters use web application security scanners during web application security testing, not because these scanners can do things that a pentester cannot do manually, but because these scanners can speed up the whole testing process and thus reduce the overall time scale for testing. The scanners may be capable of conducting some of the tests in a matter of few hours that a tester may otherwise take a few days to do manually and thus help improving overall efficiency.
It is very essential to understand these scanners and the role these scanners can play during a pentest before making them part of your testing methodology. These scanners may be capable of finding technical vulnerabilities such as cross-site scripting, injection attacks (SQL injection, command injection etc.), directory traversal, default files and directories and configuration related issues but may not be capable of finding other logical issues such as business processes, shopping cart related issues, session management, privilege escalation, user enumeration through error messages and cryptographic issues. This can be illustrated as follows:
A scanner may be able to find all variants of cross-site scripting vulnerabilities within all input fields encountered during crawling, but may not be able to change the price of an item in a shopping cart or escalate the privileges of a user by modifying request parameters.
Thus these scanners should only be considered as an aid to your manual efforts and cannot be thought to replace a human brain completely. The best approach would be to use these scanners as a first pass followed by significant manual investigation that includes not just to validate the findings from these tools but to conduct more in depth testing using other methods.
Posts
0 comments:
Post a Comment