Limitations of web security testing tools

Discuss the principle of security vulnerability, and talk about the limitations of tools.

First of all, the principle of scanning tools:

The scanning tool can be seen as a two-part: crawler + calibration mechanism . The crawler's role is to collect the entire collection of objects linked, and then check the mechanism to verify the links one by one .

The limitations of scanning tools:

Limitation 1: Scanning may not be comprehensive

A website that can be scanned comprehensively depends largely on the ability of the crawler to collect links. I have done the crawler test, so I know the principle of the crawler, is to make a request for a given entry address, then extract the link from the returned content, and then request the extracted links, so repeatedly. Included in the HTML link, it is easy to be extracted, but the link generated by JS, when the extraction of some difficulty, the link generated by the flash, it is difficult to be extracted. Now someone wants to say the picture verification code, right? We do test can ask the site Green, temporarily block the verification code, this can not be considered. At present, the popularity of Ajax technology, but also the ability of spiders to collect links appear stretched. So this exposes the first limitation of the scanning tool, and the scan may not be comprehensive.

Limitation 2: Bad for websites that block error messages

If you feel that scanning is not comprehensive can be overcome by multiple analysis and multiple tests from different entry addresses, this limitation is slightly more difficult than the one above. This is mainly the limitation of "calibration mechanism", the calibration mechanism is a link to a specific format or a specific format of the form matching the specific simulated attack cases, simulated attacks. We know that an attack is a process of request, that is, the result of an attack. Can only be seen from the response. With SQL injection as an example, when a parameter value of 1 ' is sent to the background, the scan tool determines that it is a SQL injection vulnerability if SqlException is included in the returned page content. But if the site is set up an error page, in the event of an exception to jump directly to an error page, tell you "wrong!" "And then no other information, how does the acquisition tool determine if there is a vulnerability?" Did you go to the developers and say, "Would you please remove the error page?" To tell you the truth, our arrogant research and development staff will certainly not give you a good complexion.

Limitation 3: Not suitable for a particular scenario

Limitation 3 is somewhat similar to limiting 2, but the nature is not the same, and limiting 3 refers to certain scenarios. Scanning Tool scanning bug principle, 1 and 2 in the description of the almost, here we give two examples, see the example of how to use scanning tools to find these two loopholes, if not found, that is the limitations of scanning tools. The first: There is a website that allows users to register, user registration also allows users to modify personal information, but this place to modify personal information there is a SQL injection vulnerability. We know that the general modification of personal information SQL is roughly the same as update [userinfo] set password= ' 1111 ', email= ' [email protected] ' where uid= ' boy ', If a user modifies their password by setting the password to 1111 '--so that if there is a SQL injection vulnerability, the password for all registered users becomes 1111. Is there a loophole here? Yes! But can the tools be found? Unless you look at the database, you won't find this problem at all. Look at the second: The station message we used a lot of time, assuming that the message there is an XSS vulnerability, then A to B sent a malicious script, but from a to see with the ordinary message sent is no different, so the scanning tool can not find this problem, unless you use account B to log in to scan. But, this looks simple, actually the operation is quite difficult. How do you know when the scan tool simulates an attack and sends a message to B without giving C or D or E? So this time frame is also unrealistic. In the same way, there is a message posted on the outside network, to the management desk audit this model, there are similar problems.

The above is just a list of 3 points, is to remind you to pay attention to a little more than a tool, test this thing, not to take a tool can be done. I say this is not to say that people do not use tools, but to use the right tools. After a test request is submitted, you should first analyze which areas may not be covered by the tool, put these places on manual inspection, and the remaining tools to do the full site coverage scan.

Limitations of web security testing tools