A PortSwigger guide

Website vulnerability scanning

How can web vulnerability scanning help me to find vulnerabilities?

Using web vulnerability scanning to find vulnerabilities

What is vulnerability scanning?

Vulnerability scanning is commonly considered to be the most efficient way to check your site against a huge list of known vulnerabilities - and identify potential weaknesses in the security of your applications. Vulnerability scanning can be used as part of a standalone assessment, or as part of a continuous overall security monitoring strategy.

What is a web vulnerability scanner?

Vulnerability scanners are automated tools that scan web applications to look for security vulnerabilities. They test web applications for common security problems such as cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF).

More capable scanners may be able to delve further into an application by utilizing more advanced techniques. Pioneering application system testing techniques mean that Burp Scanner, the engine powering Burp Suite application security testing products, can find vulnerabilities many other scanners would miss, including asynchronous SQL injection and blind SSRF for instance.

Find out what makes Burp Scanner different

How does a web vulnerability scanner work?

Web vulnerability scanners work by automating several processes. These include application spidering and crawling, discovery of default and common content, and probing for common vulnerabilities.

There are two primary approaches to vulnerability scanning - passive, and active. A passive scan performs non-intrusive checks, simply looking at items to determine if they are vulnerable. You can visualize this method by imagining encountering a door, but not touching it to see if it's open or locked. If the door is closed, that marks the end of that branch of your investigation.

An active scan on the other hand, is a simulated attack on your site in order to access vulnerabilities as they would appear to an outsider. If you visualize this as a door, the fact that it may be closed would not present a dead-end. Instead, your investigation would push you to test the door, perhaps pick the lock, or even force entry.

Some scan types also involve authentication, whereby the scanner uses access permissions to establish if there are further open or closed "doors" within the application. Some scanners are able to acquire these access permissions themselves, and some will need them provided prior to testing.

The scanner will then produce a report of varying detail, depending on the type of scan performed. This report usually includes the specific request and response that the application used to diagnose each reported vulnerability, enabling a knowledgeable user to manually investigate and confirm the bug's existence.

How does a web vulnerability scanner "map" an application?

Some scanners partially automate site mapping using spidering. More modern scanners use crawling - whereby the scanner details all possible paths a user could take and how their journey would be impacted by links and other navigational transitions.

Modern applications contain a lot of state. For example, on an e-commerce site there might be a page designed to display your "basket" - this page could look almost entirely the same whether you have something in that "basket" or not, with the exception of a "checkout" button. The iteration of the page that contains a "checkout" button, or items in the "basket" is a separate state that the scanner needs to be able to account for.

High-performance scanners will generally give you options for customization at various stages of your scan - including scan set-up, targeting scope, vulnerabilities to assess for, and detail of post-scan reports produced.

Learn how to scan a website for bugs with Burp Scanner

What are the common vulnerabilities detected by automated scanning?

Several categories of common vulnerabilities can be detected by scanners with a degree of reliability. Some scanners can detect a wider range of vulnerabilities, for example if their logic is more frequently updated. Regular updates can play a big part in maintaining your security posture - once a vulnerability becomes public, it's also public to hackers. This is something to consider when selecting your vulnerability scanning tool.

Vulnerabilities reliably detected by run-of-the-mill scanners include, but are not necessarily limited to:

Reflected cross-site scripting (XSS)

Automated scanners typically send test strings containing HTML markup and search the responses for these strings, enabling them to detect basic XSS flaws.

Straightforward directory listings

This type of vulnerability can be identified by requesting the directory path, and looking for a response containing text that looks like a directory listing.

Directory traversal

Some path traversal vulnerabilities can be detected by submitting a traversal sequence targeting a known file, and searching the response for the appearance of this file.

Some command injection vulnerabilities

These types of vulnerability can often be detected by injecting a command that causes a time delay, or echoes a specific string into the application's response.

SQL injection

This allows an attacker to interfere with queries that an app makes to its database. This can sometimes be detected using basic payloads designed to cause recognizable error messages.

Open redirection

A scanner tests for these vulnerabilities by submitting payloads, designed to test whether a parameter can cause redirection to an arbitrary external domain.

Automated scanners commonly rely on a single methodology for application security testing - this is one of the reasons for the high number of false positives produced by some scanners. Burp Scanner draws from a varied arsenal of techniques to produce a more comprehensive picture. This unique blend of AST techniques maximizes coverage, while producing minimal false positives.

What is the best vulnerability scanner?

There are no true benchmarks for evaluating a vulnerability scanner, as each one will usually have its own strengths and weaknesses depending on your use case. Bear in mind that even if a vendor presents benchmarking criteria for their scanner, this data has the potential to lean heavily in their favor. Whatever your use case, it's important to select the type of scanner that comes packaged the way you need it - so you can hit the ground running.

PortSwigger's application security testing products both use the same underlying web vulnerability scanner - Burp Scanner. Whether you want software designed for an individual tester looking to improve workflows, or enterprises wanting to scale and automate, there's a Burp Suite for everyone.

Frequently asked questions

The reliability of a vulnerability scanner will depend on the testing techniques it runs, as well as how frequently its crawling logic is updated. Automated scanners are able to detect a wide variety of vulnerability types, but are not currently a complete replacement for human-guided penetration testing.

All web vulnerability scanners produce false positives to a greater or lesser extent. Burp Scanner uses multiple AST techniques to corroborate results, and thus minimize false positives.

Scanners can't pick up all types of vulnerabilities - their reliability depends on factors such as testing type, and sophistication of crawl logic. Vulnerabilities with standard signatures, such as cross-site scripting (XSS), can be reliably discovered.

More complex, non-standard vulnerability types are much harder to detect with an automated scanner. These include vulnerabilities that involve modifying a parameter's value in a way that has meaning within the application - for example, broken access controls. If an automated scanner tries to find vulnerabilities like these, it's likely to return a high number of false positives.

Yes. The vulnerabilities found will also vary based on the type of scanning technique used. Some vulnerability scanners can be configured to run custom scans, which would naturally produce different results.

Using a vulnerability scanner may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use a vulnerability scanner against non-production systems.

You should always check the legality of web vulnerability scanning in the applications you are testing, before using a vulnerability scanner. You should also ensure you have a target site owner's permission to carry out vulnerability scanning before commencing any such activity. Doing so without permission is illegal.

While some aspects of penetration testing can be automated, manual testing is still not fully replaceable with automation. Vulnerability scanning is therefore separated from penetration testing by the manual aspects of the testing process, such as lateral thinking, or human-guided intuitions. Our recommended approach is to combine both manual and automated testing, to provide the highest level of security assurance.

Not all vulnerability scanners are completely anonymous, but most will give you the option to adjust the anonymity settings. PortSwigger places a high value on Burp Suite users' privacy. This means that whilst we do collect some basic usage data, you can easily turn that off. And in this case, off means "off".