There are many ways to uncover Web application vulnerabilities. This white paper examines a few of these vulnerability detection methods – comparing and contrasting manual penetration testing with automated scanning tools. What you’ll discover is that neither of these methods are an exhaustive method for identifying Web application vulnerabilities.
Web application securityWhite paperJanuary 2008
Web application security:
automated scanning versus
manual penetration testing.
Danny Allan, strategic research analyst, IBM Software Group Web application security: automated scanning versus manual penetration testing.Page 2
IntroductionContents Research has shown that a vast number of Web sites are vulnerable to Web application attacks and that a great percentage of these attacks occur over the HTTP/S protocols, ports that are often exposed to the entire online commu-2 Introduction nity. With these facts in mind, it's essential for organizations to take serious 2 Evolving testing techniques3 Two primary categories of measures to help secure their Web applications. vulnerabilities As Web applications become increasingly complex, tremendous amounts of sensi-4 Technical vulnerabilities tive data-including personal, medical and financial information-are exchanged 5 Logical vulnerabilities6 Delivering the software and and stored. Consumers expect and even demand that this information be kept services you need to help secure. There are two primary methods for discovering Web application vulner-secure your Web applications abilities: using manual penetration testing and code review or using automated scanning tools and static analysis. The purpose of this paper is to compare these two methods.
Evolving testing techniques Manual security penetration testing is one of the oldest methods for discovering application vulnerabilities. Over time, as the frequency of attacks has grown and application complexity has increased, specialists known as penetration, or "pen," testers have emerged. Their sole purpose is to find and exploit Web application Web application security: automated scanning versus manual penetration testing. Page 3
security problems. In the late 1990s, companies began developing automated HighlightsWeb application testing techniques. By that point, the Web had become more mature, and Web browsers were beginning to be able to handle the complexi-ties of dynamic applications. The goal of these early automated testing tools was to automate the process of discovering a Web application and inject faults into it to help discover vulnerabilities.
Two primary categories of vulnerabilitiesWeb application vulnerabilities Generally, Web application vulnerabilities can be grouped into two categories: typically fall into two categories: technical and logical. Technical vulnerabilities include cross-site scripting technical and logical. (XSS), injection flaws and buffer overflows. Logical vulnerabilities are much harder to explicitly categorize. These vulnerabilities manipulate the logic of the application to get it to do things it was never intended to do. For example, in early 2002, a hacker used a logical vulnerability to bypass the required personal information validation in a popular e-mail application, allowing the hacker to reset users' passwords by guessing the answer to a single security question.Web application security: automated scanning versus manual penetration testing. Page 4
Technical vulnerabilitiesHighlightsThere are more than 70 techniques that can be used to exploit XSS, one of the most common technical vulnerabilities. A typical registration form on the Web contains approximately 30 unique elements, each of which is potentially vul-nerable to XSS, injection flaws, buffer overflows or improper error handling. Therefore, to test the form for XSS vulnerability, you would need more than 2,000 tests to check all 30 elements against the 70 XSS techniques. It's certainly no surprise that a great number of applications are vulnerable to this one exploit.
Automated testing tools can now Given the number of tests needed to check such applications for technical traverse, analyze and test for a vulnerabilities, automated tools that are able to traverse, analyze and test are large percentage of technical perhaps more efficient than manual penetration testing. Automated scanning vulnerabilities. and testing tools may not currently be able to test 100 percent of technical vulnerabilities, but they can test for a large percentage of them. Early versions of automated tools had trouble dealing with certain issues, including:
. Client-side-generated URLs.T. Required Java Script functions.. Application logout.. Transaction-based systems requiring specific user paths.. Automated... [download for more]
