How can web vulnerability scanning help me to find vulnerabilities?
What is vulnerability scanning?
Vulnerability scanning is commonly considered to be the most efficient way to check your site against a huge list of known vulnerabilities - and identify potential weaknesses in the security of your applications.
Vulnerability scanning can be used as part of a standalone assessment, or as part of a continuous overall security monitoring strategy.
More capable scanners may be able to delve further into an application by utilizing more advanced techniques. Pioneering application system testing techniques mean that Burp Scanner, the engine
powering Burp Suite application security testing products, can find vulnerabilities many other scanners would miss, including asynchronous SQL injection and blind SSRF for instance.
Web vulnerability scanners work by automating several processes. These include application spidering and crawling, discovery of default and common content, and probing for common
There are two primary approaches to vulnerability scanning - passive, and active. A passive scan performs non-intrusive checks, simply looking at items to determine if they are vulnerable.
You can visualize this method by imagining encountering a door, but not touching it to see if it's open or locked. If the door is closed, that marks the end of that branch of your investigation.
An active scan on the other hand, is a simulated attack on your site in order to access vulnerabilities as they would appear to an outsider. If you visualize this as a door, the fact that it may be
closed would not present a dead-end. Instead, your investigation would push you to test the door, perhaps pick the lock, or even force entry.
Some scan types also involve authentication, whereby the scanner uses access permissions to establish if there are further open or closed "doors" within the application. Some scanners are able to acquire
these access permissions themselves, and some will need them provided prior to testing.
The scanner will then produce a report of varying detail, depending on the type of scan performed. This report usually includes the specific request and response that the application used to diagnose each
reported vulnerability, enabling a knowledgeable user to manually investigate and confirm the bug's existence.
How does a web vulnerability scanner "map" an application?
Some scanners partially automate site mapping using spidering. More modern scanners use crawling - whereby the scanner details all possible paths a user could take and how their journey would be impacted by links
and other navigational transitions.
Modern applications contain a lot of state. For example, on an e-commerce site there might be a page designed to display your "basket" - this page could look almost entirely the same whether you have something in that
"basket" or not, with the exception of a "checkout" button. The iteration of the page that contains a "checkout" button, or items in the "basket" is a separate state that the scanner needs to be able to account for.
High-performance scanners will generally give you options for customization at various stages of your scan - including scan set-up, targeting scope, vulnerabilities to assess for, and detail of post-scan
Learn how to scan a website for bugs with Burp Scanner
What are the common vulnerabilities detected by automated scanning?
Several categories of common vulnerabilities can be detected by scanners with a degree of reliability. Some scanners can detect a wider range of vulnerabilities, for example if their logic is more
frequently updated. Regular updates can play a big part in maintaining your security posture - once a vulnerability becomes public, it's also public to hackers. This is something to consider when
selecting your vulnerability scanning tool.
Vulnerabilities reliably detected by run-of-the-mill scanners include, but are not necessarily limited to:
Reflected cross-site scripting (XSS)
Automated scanners typically send test strings containing HTML markup and search the responses for these strings, enabling them to detect basic XSS flaws.
Straightforward directory listings
This type of vulnerability can be identified by requesting the directory path, and looking for a response containing text that looks like a directory listing.
Some path traversal vulnerabilities can be detected by submitting a traversal sequence targeting a known file, and searching the response for the appearance of this file.
Some command injection vulnerabilities
These types of vulnerability can often be detected by injecting a command that causes a time delay, or echoes a specific string into the application's response.
This allows an attacker to interfere with queries that an app makes to its database. This can sometimes be detected using basic payloads designed to cause recognizable error messages.
A scanner tests for these vulnerabilities by submitting payloads, designed to test whether a parameter can cause redirection to an arbitrary external domain.
Automated scanners commonly rely on a single methodology for application security testing - this is one of the reasons for the high number of false positives produced by some scanners. Burp Scanner
draws from a varied arsenal of techniques to produce a more comprehensive picture. This unique blend of AST techniques maximizes coverage, while producing minimal false positives.
What is the best vulnerability scanner?
There are no true benchmarks for evaluating a vulnerability scanner, as each one will usually have its own strengths and weaknesses depending on your use case. Bear in mind that even if a vendor presents benchmarking criteria for their
scanner, this data has the potential to lean heavily in their favor. Whatever your use case, it's important to select the type of scanner that comes packaged the way you need it - so you can hit the ground running.
PortSwigger's application security testing products both use the same underlying web vulnerability scanner - Burp Scanner. Whether you want software designed for an individual tester looking to improve workflows, or enterprises wanting
to scale and automate, there's a Burp Suite for everyone.
I've been using Burp Suite for over 10 years to expose hard to find vulnerabilities in web applications for my clients. The addition of the vulnerability scanner helps speed up testing process and provide a
baseline level of analysis on all parts of the web application, and allows me to focus efforts on the more advanced, harder to find vulnerabilities.
Source: TechValidate survey of PortSwigger customers
How reliable are vulnerability scanners at finding bugs?
The reliability of a vulnerability scanner will depend on the testing techniques it runs, as well as how frequently its crawling logic is updated. Automated scanners are able to detect a wide variety
of vulnerability types, but are not currently a complete replacement for human-guided penetration testing.
Do vulnerability scanners produce false positives?
All web vulnerability scanners produce false positives to a greater or lesser extent. Burp Scanner uses multiple AST techniques to corroborate results, and thus minimize false positives.
What sort of coverage can I expect from a vulnerability scanner?
Scanners can't pick up all types of vulnerabilities - their reliability depends on factors such as testing type, and sophistication of crawl logic. Vulnerabilities with standard signatures,
such as cross-site scripting (XSS), can be reliably discovered.
More complex, non-standard vulnerability types are much harder to detect with an automated scanner. These include vulnerabilities that involve modifying a parameter's value in a way that has
meaning within the application - for example, broken access controls. If an automated scanner tries to find vulnerabilities like these, it's likely to return a high number of false positives.
Do different vulnerability scanners get different results?
Yes. The vulnerabilities found will also vary based on the type of scanning technique used. Some vulnerability scanners can be configured to run custom scans, which would naturally produce
Are vulnerability scanners safe for beginners to use?
Using a vulnerability scanner may result in unexpected effects in some applications. Until you are fully familiar with its functionality and settings, you should only use a vulnerability scanner
against non-production systems.
Is it legal to use a vulnerability scanner?
You should always check the legality of web vulnerability scanning in the applications you are testing, before using a vulnerability scanner. You should also ensure you have a target site owner's
permission to carry out vulnerability scanning before commencing any such activity. Doing so without permission is illegal.
Is vulnerability scanning the same as penetration testing?
While some aspects of penetration testing can be automated, manual testing is still not fully replaceable with automation. Vulnerability scanning is therefore separated from penetration testing by
the manual aspects of the testing process, such as lateral thinking, or human-guided intuitions. Our recommended approach is to combine both manual and automated testing, to provide the highest
level of security assurance.
How private are vulnerability scanners?
Not all vulnerability scanners are completely anonymous, but most will give you the option to adjust the anonymity settings. PortSwigger places a high value on Burp Suite users' privacy. This means
that whilst we do collect some basic usage data, you can easily turn that off. And in this case, off means "off".