Heuristic vs Signature-Based Web Vulnerability Scanners
Read on to learn the difference between these two types of web application vulnerability scanners, and which one would meet your needs.
Join the DZone community and get the full member experience.Join For Free
There are two different kinds of web application vulnerability scanners: heuristic and signature-based scanners. This article explains how both types of scanners work and what type of vulnerabilities they can find in web applications.
How Do Signature-Based Web Application Security Scanners Work?
Signature-based scanners rely on a database of signatures for known vulnerabilities. Therefore, for a scanner to recognize a vulnerability, a signature for that specific vulnerability has to be added to its database first.
This means that these scanners need to be updated regularly because an update is released every time a new vulnerability is found in a specific web application. Usually, signature-based scanners do not run any additional security checks to determine whether or not the detected vulnerability is exploitable. Their checks rely only on a number of non-reliable criteria, such as the version details and numbers of the target web application, file paths, and directory structures, etc.
This means that signature-based web security scanners are more prone to reporting false positive vulnerabilities. For example, if a patch is applied manually to a web application without changing the version file, a signature-based scanner will report a false positive. This also means that signature-based scanners can only scan known and off-the-shelf web applications such as WordPress, Joomla!, and Drupal.
A popular signature-based scanner is WPScan, which scans WordPress websites and its plugins and themes for known vulnerabilities. Another popular signature-based scanner is Nikto, which scans for server misconfigurations and dangerous files.
How Do Heuristic Web Application Security Scanners Work?
Heuristic web vulnerability scanners do not need a database to detect vulnerabilities. They do not rely on signatures of already discovered security bugs. They are able to determine if a web application is vulnerable by actively probing for vulnerability classes, such as Cross-site Scripting (XSS) and SQL Injection vulnerabilities.
This means that heuristic web vulnerability scanners are able to find 0-day vulnerabilities in a web application, unlike signature-based scanners. And heuristic web application security scanners do not need to be updated as often as signature-based ones and can scan and find vulnerabilities in any type of off-the-shelf and custom-built web applications and web services.
Examples of 0-Day Vulnerabilities Identified by a Heuristic Web Vulnerability Scanner
As part of our regular testing of the Netsparker web application scanner, we scan an ever-changing list of open source web applications. In the last few years, we have identified thousands of zero-day vulnerabilities in such web applications, and as of today, we have published over 150 advisories. We do not publish an advisory for every vulnerability we discover for a number of reasons, and that is why the number of advisories is less than the number of identified vulnerabilities.
A few good examples of a number of 0-day issues Netsparker identified are:
- Cross-site Scripting vulnerability in the HESK helpdesk software
- Cross-site Scripting vulnerability in OpenCart
- DOM XSS vulnerability in WordPress Twenty Fifteen default theme
All of the above vulnerabilities were not previously known, therefore a signature-based scanner would not have warned the user about them.
Using Both Signature-Based and Heuristic Web Vulnerability Scanners
Clearly a heuristic web security scanner can do much more than a signature-based scanner in terms of security but don't write off signature-based scanners either. They also have their advantages.
For example, if you want to scan a WordPress website for known vulnerabilities and security weaknesses, the signature-based scanner WPscan will definitely do a very good job and can deliver the scan results very fast. In such cases, a heuristic scanner is overkill. However, to scan a complex custom application for unknown security bugs, you should use a heuristic web application security scanner.
Published at DZone with permission of Sven Morgenroth, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.