Jump to content
Nytro

Limitations of Automated Web Application Vulnerability Scanners

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Limitations of Automated Web Application Vulnerability Scanners[/h]

vulnerability_scanners.jpg

[h=2]Introduction[/h] Many security specialists rely solely on Web Application Vulnerability Scanners for security testing. Depending only on automated vulnerability scanners will lead to a false sense of security because it leaves out many tests that can only be run manually.

In this article we will give you a better understanding of the capabilities and limitations of automated vulnerability scanners so you can make educated decisions when conducting web application security assessments.

[h=2]What is a web application vulnerability scanner?[/h] Web application vulnerability scanners are the automated tools that scan web applications to look for signatures of known security vulnerabilities such as cross-site scripting, SQL injection and others. There are several commercial and free vulnerability scanners available on the market, here is the list of the most popular tools:

  • AppScan (IBM)
  • Burp Suite (PortSwiger)
  • Nessus (Tenable Network Security)
  • NeXpose (Rapid 7)
  • WebInspect (HP)
  • Websecurify Suite (Websecurify)
  • Zed Attack Proxy (OWASP).

Some of the scanners require nothing except the link to the target websites, while others need some configuration before you run them. Most of them have advanced configuration options where the user can fine-tune the scanner (disable unneeded modules, setup the maximum number of threads, configure test and risk levels, etc.) before running the test.

[h=2]What do vulnerability scanners can identify?[/h] Despite the difference in configuration the automated web app scanners mentioned above and others on the market can detect the following:

  • Some SQL Injections using common techniques like causing database errors (i.e.: by sending a single quote), a time delay (by injecting the “sleep()” function in the query on MySQL server or “waitfor delay” on MS SQL server)
  • Most of the reflected Cross-site scripting (XSS) vulnerabilities – where malicious JavaScript code can be injected in the request and is returned in the response
  • Some of the stored XSS vulnerabilities – where malicious JavaScript is stored on the sever and is displayed every time somebody (can be the attacker or an unsuspecting user) is requesting a specific page
  • Very few DOM-based XSS vulnerabilities – where user-controllable data is used by client-side JavaScript
  • Path traversal vulnerabilities – arbitrary read of the files on the vulnerable web server (/etc/passwd or win.ini are usually used for this test)
  • File inclusion vulnerabilities – arbitrary file from the Internet can be included in the response (i.e. random text file from attacker controllable server)
  • Command injection vulnerabilities by injecting a command which will delay the response (i.e.: ping localhost 20 times) or return specific output in the response (i.e. ipconfig)
  • Hidden pages and files
  • Directory listing
  • Webserver vulnerabilities
  • Other vulnerabilities like cleartext password submission, session tokens in URL, password field autocomplete, SSL cookie without secure flag, frameable responses which can be determined by analyzing the requests and responses of the web application

[h=2]What can go wrong?[/h] In some cases the web application vulnerability scanners may fail to detect some of the vulnerabilities mentioned above or may not work properly. Below is the list of the top reasons why automated vulnerability scanners might not work:

  • Custom-built authentication mechanism – when a web application uses proprietary approaches to authenticate the users (multi-step authentication, non-standard session management, etc) sometimes the scanner my fail to login and only scan unauthenticated parts of the web application
  • Web applications with heavy use of AJAX – many of the web scanners spiders do not handle dynamic AJAX content properly
  • Web sites with a lot of content or with a high number of dynamically generated pages – sites like Amazon, Facebook, eBay and YouTube where there are thousands of similar pages with different content, new pages are generated because of the user actions (including vulnerability scanner generating new pages while doing the scan) or when each requests receives a unique response URL

[h=2]What do vulnerability scanners are not able to do?[/h] In addition to the limitations mentioned above the scanners are not smart enough to test for specific vulnerabilities in the application logic. Web application vulnerability scanners are not able to test for:

  • Authentication vulnerabilities such as username enumeration, resilience to password guessing, any account recovery functions, credentials predictability or any other logic flaws in the authentication
  • Session management flaws like meaningful or predictable tokens, session fixation, mapping tokens to session, session hijacking etc.
  • Vulnerabilities in access controls where a user can access others’ user data or admin functionality without having admin privileges assigned
  • Application logic flaws such as ordering negative number of items, skipping a stage in multi-stage processes (i.e. going straight to shipping page skipping the payment page) etc.
  • Shared hosting vulnerabilities – test segregation in shared infrastructure or between ASP-hosted applications
  • Leakage of sensitive information such as password hashes in the hidden fields or user logs

[h=2]Where are vulnerability scanners in the web applications testing methodology?[/h] Here is a typical web application testing methodology with highlighted stages which can be partially automated with vulnerability scanners1:

Web-application-testing-methodology-manual-vs-automated.png

[h=2]Know your tools[/h] To summarize, automated web application scanners are essential tools for any vulnerability assessment or penetration tests but you should know their capabilities and limitations. However, a qualified penetration tester is still required to know how interpret the results, perform advanced manual testing and understand the risks to the organization.

For information on how vulnerability assessments and penetration testing fits into an overall security testing program read Seven Tips for Increasing your Web Application Security .

Resources:

  1. Source: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

By Arsenii Pustovit – Information Security Analyst @ Eosensa

Sursa: Limitations of Automated Web Application Vulnerability Scanners | Eosensa

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...