Web Application Testing – Automated or Manual?

Pentest People take a look at the differences between automated and manual Web Application Testing

Explore More

Web Application Penetration Testing

Web Applications often store PII and provide sensitive functionality. Due to this, Web Application Penetration Testing have become popular targets for malicious threat actors. Successful compromise of a web application may lead to loss of sensitive data, loss of reputation and access to the underlying server. It is crucial that web applications are thoroughly tested to ensure that they do not pose a security risk. 

At Pentest People, we are regularly asked about what level of penetration testing is needed for a web application, and the answer is completely dependent on the web application, what data is held within it and client requirements. The purpose of this article is to discuss the differences between a manual penetration test and a vulnerability scan 

What is a Penetration Test?

A Penetration Test is a simulated attack, carried out manually by a trained security consultant. The consultant will follow a methodology to look for known vulnerabilities and common attack vectors. Vulnerabilities are verified, a proof of concept is created and mitigation advice is issued within the context of a report.

Vulnerability scanning is part of our methodology for a full penetration test, however, the consultant will be looking for business logic and more in-depth vulnerabilities such as weak/broken access controls that allow users to view others sensitive data.

What is a Vulnerability Scan?

A vulnerability scan uses automated tools to look for ‘low hanging fruit’ which is loosely defined as obvious vulnerabilities that require little or no skill to locate. Vulnerability scanners are not intelligent, they are good for finding vulnerabilities such as ‘Missing HTTP security headers’ like X-frame options missing from HTTP responses, however, they will not identify business logic vulnerabilities like the ability to view one users data from another account.

These should in no way, be considered full penetration tests. Similar to a penetration test, the vulnerabilities discovered and mitigation advice will be issued in a report, however, the findings will not be verified, nor will a proof of concept be created. The findings from the automated tools are trusted, which will typically include false positives. The verification of these issues will be down to the company in question. 

When is it Necessary to Perform
These Types of Tests?

011-folder

When should I perform a Penetration Test?

A Penetration Test should always be performed before any automated security scanning. Automated scanning does not provide a thorough assessment of the application.

A report with no critical or high risk vulnerabilities from an automated scan cannot be considered a clean bill of health for the application. 

014-network

When should I perform a Vulnerability scan?

Once a full penetration test has been completed, vulnerability scanning should be arranged at quarterly intervals.

A Penetration Test is a snapshot in time, quarterly vulnerability scanning should be undertaken to look for any obvious changes between penetration tests.

OWASP

OWASP (open web application security project) is a leading organisation that focuses on publishing web application vulnerabilities and mitigation advice. They are well known for their ‘Top 10 vulnerabilities’, a report that is frequently updated with the latest threats toward application technologies.

OWASP Top 10 Comparison

CategoryApplication Penetration TestVulnerability Scan
Injection VulnerabilitiesDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
Limited detection
Likely false positives
Broken AuthenticationDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
Limited detection
Likely false positives
Sensitive Data ExposureDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
Limited detection
Likely false positives
External Entities (XXE)Detection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
Limited detection
Likely false positives
Broken Access ControlDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
None
Security MisconfigurationDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
Limited detection
Likely false positives
Cross-site ScriptingDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
Limited detection
Likely false positives
Insecure DeserializationDetection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
None
Using components with known
vulnerabilities
Detection
Exploitation
Proof of concept
Verification of Vulnerabilities
No false positives
None
Insufficient Logging &
Monitoring
SOC Readiness assessments availableNone

Looking to Enquire About
Our Services?