Web Application Testing -
Manual vs Automated

Pentest People take a look at the differences between automated
and manual Web Application Testing


What Level of Testing is Required for Web Applications?

Web Applications often store PII and provide sensitive functionality. Due to this, Web Application Penetration Testing have become a popular target for malicious threat actors. Successful compromise of a web application may lead to losing sensitive data, reputation, and access to the underlying server. Web applications must be thoroughly tested to ensure that they do not pose a security risk.

At Pentest People, we are regularly asked about what level of penetration testing is needed for a web application, and the answer is entirely dependent on the web application, what data is held within it and client requirements. The purpose of this article is to discuss the differences between a manual penetration test and a vulnerability scan.

What is a Manual Penetration Test?

A Penetration Test is a simulated attack, carried out manually by a trained security consultant. The consultant will follow a methodology to look for known vulnerabilities and common attack vectors. Vulnerabilities are verified, a proof of concept is created and mitigation advice is issued within the context of a report.

Vulnerability scanning is part of our methodology for a full penetration test, however, the consultant will be looking for business logic and more in-depth vulnerabilities such as weak/broken access controls that allow users to view others sensitive data.

What is an Automated Vulnerability Scan?

A vulnerability scan uses automated tools to look for ‘low hanging fruit’ which is loosely defined as obvious vulnerabilities that require little or no skill to locate. Vulnerability scanners are not intelligent, they are good for finding vulnerabilities such as ‘Missing HTTP security headers’ like X-frame options missing from HTTP responses, however, they will not identify business logic vulnerabilities like the ability to view one user's data from another account. These should, in no way, be considered full penetration tests.

Similar to a penetration test, the vulnerabilities discovered, and mitigation advice will be issued in a report, however, the findings will not be verified, nor will a proof of concept be created. The findings from the automated tools are trusted, which will typically include false positives. The verification of these issues will be down to the company in question.

Pentest People Are Trustworthy & Experienced

Which Option is Best?

When is it Necessary to Perform
These Types of Tests?

When should I perform a Penetration Test?

A Penetration Test should always be performed before any automated security scanning. Automated scanning does not provide a thorough assessment of the application.

A report with no critical or high risk vulnerabilities from an automated scan cannot be considered a clean bill of health for the application.

When should I perform a Vulnerability scan?

Once a full penetration test has been completed, vulnerability scanning should be arranged at quarterly intervals.

A Penetration Test is a snapshot in time, quarterly vulnerability scanning should be undertaken to look for any obvious changes between penetration tests.