Commissioned News Story (Source: Netsparker)
Automatic versus manual. A heavily debated subject whatever you speak of, and it is no different in the web application security industry. Should you do a manual penetration test or automatically scan all your websites with an automated web application security scanner? With which process you would find most vulnerabilities and which one has the best return on investment?
In reality you need a bit of both. Actually, with today’s complex web application you cannot do without automation. By automating the majority of a penetration test, i.e. scan your website with a web vulnerability scanner you ensure that the security audits are more accurate, detect more vulnerabilities and save time. And when you save time you keep costs lows and have enough time to finalize the penetration test with a manual check for logical vulnerabilities.
In this article I will walk you through the different stages of a web application penetration test which help in highlighting the fact that automation is a must in web application security.
Web Application Coverage – Identifying the Attack Surface
The first thing you do before auditing the security of a website is find all the possible attack surfaces, or as they are also called possible point of entries. Attack surfaces can be input fields such as those found in contact forms, shopping carts and login forms, parameters in the URL and also hidden parameters in the code. Now let’s keep in mind that a typical medium sized modern web application can have hundreds or even thousands of such inputs and many of which are very difficult to identify.
An automated web application security scanner such as Netsparker has a crawler component which is specifically built for this purpose; to crawl the web application and identify all possible attack surfaces so they can be checked if they are vulnerable to cross-site scripting, SQL injection and other type of web application vulnerabilities and security issues. Typically the scanner crawls such a website in less than an hour and automatically identifies all attack surfaces. Would you do this manually? In theory yes you can. In practise? Definitely not! It would take days, even weeks for a seasoned penetration tester to accomplish such a task, not to mention the high chances of missing input fields.
It is very important to identify all possible attack surfaces, else not all can be tested. And a malicious attacker only needs to find one vulnerable input field to hack a web application.
Identifying Vulnerabilities and Security Flaws in a Timely Manner
During an automated web application security scan each possible attack surface is checked for hundreds of different vulnerabilities within a few hours. The same as with the crawling, it is impossible to do such task manually.
A typical modern and small web application can contain at least 100 possible attack surfaces. If it takes a security professional at least a minute to complete each test (and he needs to be really good and quick to do it that fast) it will still take him around 83 working hours to test each input parameter for at least 50 different vulnerability variants. That is roughly 10 man days of checking for routine things. This is an unsustainable amount of time, and task.
We humans are prone to make mistakes especially when we do repetitive but yet complex work, while automated tools are build to do exactly that. Take advantage of such tools and always automated the repetitive in web application security.
Identifying More Web Application Vulnerabilities
If a web application is audited manually, the security audit is limited to the knowledge of the penetration tester. On the other hand, a heuristic web application security scanner has a vast list of web application vulnerabilities and security checks that is backed by a whole team of security engineers and researchers that regularly update it to include new attack vectors, bypasses and security checks.
Identifying Low Hanging Fruit Vulnerabilities
Many security professionals claim that automated tools will only identify low hanging fruit and technical vulnerabilities. True, but history has showed us that the majority of successful web application attacks exploited a technical vulnerability such as an SQL Injection or Cross-site Scripting. Very rarely attackers exploited logical vulnerabilities.
This does not mean you should ignore logical vulnerabilities, but you should automate the repetitive and use the saved up time to identify logical vulnerabilities. If you try to do both manually you will not manage to keep up with the development of the web application and the myriad of new attack variants.
Identifying Logical Vulnerabilities
There are two types of web application vulnerabilities, logical and technical vulnerabilities. Technical vulnerabilities are vulnerabilities in the code which can be identified by automated tools, such as the popular SQL Injection and Cross-site Scripting vulnerabilities. Logical vulnerabilities are vulnerabilities in the logic of the web application and not the code, hence only a person who is familiar with the scope of the web application can identify such vulnerabilities.
What is a Logical Vulnerability?
An advertising agency launches a promotion that gives away $100 to anyone who buys $100 worth of adverts. Though even when users buy less than $100 worth of advertising, the web application still gives away the free $100. Even though this is not a vulnerability in the code of the web application this is still a vulnerability which attackers can abuse.
Scanning Many Web Applications and Keeping Them Secure
The problem of identifying vulnerabilities and security flaws in web applications can get really worse when you have tens or even hundreds of web applications. In such cases it is not viable nor practical to do manual penetration tests. How can you quickly identify all the vulnerable web applications in case of a vulnerability outbreak, such as heartbleed? A desktop based web application security scanner will not scale up and do the job. Instead you should look into an online web application security scanner, which is purposely built to scale up and has the necessary tools to allow teams to collaborate and ensure all vulnerabilities are remediated before they are exploited by malicious hackers.
Web Application Security Convenience
Nowadays businesses heavily depend on web applications. New functionality is frequently being added to web applications to keep up with the business requirements. Every change that is applied should be tested prior to being implemented on the live servers. If you have an easy to use web application security scanner your own employees can scan the new web application changes and remediate any vulnerabilities the scanner reports prior to it being used in a live environment, without slowing down the deployment process.
You Need Automated Web Security Tools to Complete the Job
The benefits of automated tools can be many when it comes to web application security. Apart from saving time and ensuring accurate penetration tests, you can also save on budget too. If you use an easy to use and false positive free web application security scanner your own QA and testing teams can do the vulnerability scans, even if they are not web security experts. Since the scanner’s results are accurate they do not have to verify its findings so no training is required.
Emulate Malicious Hackers – Hack Your Website
Malicious hackers do not have access to the web applications’ code therefore they use automated black box scanners to scan websites in the hope of identifying vulnerabilities. Unfortunately most of the time they do identify vulnerabilities. As a matter of fact many internet security and monitoring organizations claim that at least a website is hacked every five seconds.
Therefore by emulating malicious hackers and using a web application security scanner to identify web application vulnerabilities in your websites and web applications is the best way to go about it. There is definitely no better way to secure your web applications.
Web Application Security Done Right
To recap it all, It is humanly impossible and unsustainable to manually audit a modern web application and check if it is vulnerable for every type of known and unknown vulnerability without making a mistake or within a respectable time frame. At the same time it is impossible for an automated tool to find all vulnerabilities. A perfect example is the OWASP Top 10 list. As explained in An Automated Scanner That Finds All OWASP Top 10 Security Flaws you have to do both automated scans and manual audits to identify all the vulnerabilities listed in the OWASP Top 10. Therefore even if you are thinking of hiring a penetration tester rather than doing the job yourself, If they do not use automated web security tools I recommend you to look somewhere else.
In web application security automated tools should not and will not replace the human factor, but the human alone cannot do a good job without using automated web security tools.