4. Scanning a website for vulnerabilities

The next step in website testing is automated vulnerability scanning. Scanners allow you to quickly identify many vulnerabilities, which may not always be possible through manual testing. It's generally recommended to use at least two scanners because their results can differ. Here are factors to consider when using automated scanners:

  • Scanners can only test for vulnerabilities they were designed for. For example, if a program is designed to search only for Command Injection, it won't be able to detect vulnerabilities like CSRF or SQL Injection.
  • A scanner might miss an existing vulnerability or flag a false positive. Always verify the results. In practice, this means the tester analyzes the results and replicates actions manually.
  • Scanner activity can generate a lot of "noise" since it produces a large amount of suspicious traffic. This could trigger responses from Web Application Firewalls (WAF), Intrusion Prevention Systems (IPS), Anti-DDoS devices, or the provider itself, affecting scan results.
  • In some cases, a scanner might temporarily disrupt the site or damage its database.

If using a scanner is not possible or prohibited, manual testing is the only option. However, it takes much more time and there's a risk of missing vulnerabilities. This is why checklists are often used in manual testing.

There are numerous scanners available, both commercial and free. Here is a list of some programs:

Commercial:

  • Burp Suite Pro
  • Nessus
  • Qualys
  • Acunetix

Free:

  • Nikto
  • OWASP ZAP
  • Wapiti
  • OpenVAS

In this course, we will explore the functionality of some free scanners.