DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Heuristic vs Signature-Based Web Vulnerability Scanners

Heuristic vs Signature-Based Web Vulnerability Scanners

Read on to learn the difference between these two types of web application vulnerability scanners, and which one would meet your needs.

Sven Morgenroth user avatar by
Sven Morgenroth
·
Nov. 16, 17 · Security Zone · Analysis
Like (2)
Save
Tweet
5.38K Views

Join the DZone community and get the full member experience.

Join For Free

There are two different kinds of web application vulnerability scanners: heuristic and signature-based scanners. This article explains how both types of scanners work and what type of vulnerabilities they can find in web applications.

How Do Signature-Based Web Application Security Scanners Work?

Signature-based scanners rely on a database of signatures for known vulnerabilities. Therefore, for a scanner to recognize a vulnerability, a signature for that specific vulnerability has to be added to its database first.

This means that these scanners need to be updated regularly because an update is released every time a new vulnerability is found in a specific web application. Usually, signature-based scanners do not run any additional security checks to determine whether or not the detected vulnerability is exploitable. Their checks rely only on a number of non-reliable criteria, such as the version details and numbers of the target web application, file paths, and directory structures, etc.

This means that signature-based web security scanners are more prone to reporting false positive vulnerabilities. For example, if a patch is applied manually to a web application without changing the version file, a signature-based scanner will report a false positive. This also means that signature-based scanners can only scan known and off-the-shelf web applications such as WordPress, Joomla!, and Drupal.

A popular signature-based scanner is WPScan, which scans WordPress websites and its plugins and themes for known vulnerabilities. Another popular signature-based scanner is Nikto, which scans for server misconfigurations and dangerous files.

How Do Heuristic Web Application Security Scanners Work?

Heuristic web vulnerability scanners do not need a database to detect vulnerabilities. They do not rely on signatures of already discovered security bugs. They are able to determine if a web application is vulnerable by actively probing for vulnerability classes, such as Cross-site Scripting (XSS) and SQL Injection vulnerabilities.

This means that heuristic web vulnerability scanners are able to find 0-day vulnerabilities in a web application, unlike signature-based scanners. And heuristic web application security scanners do not need to be updated as often as signature-based ones and can scan and find vulnerabilities in any type of off-the-shelf and custom-built web applications and web services.

Examples of 0-Day Vulnerabilities Identified by a Heuristic Web Vulnerability Scanner

As part of our regular testing of the Netsparker web application scanner, we scan an ever-changing list of open source web applications. In the last few years, we have identified thousands of zero-day vulnerabilities in such web applications, and as of today, we have published over 150 advisories. We do not publish an advisory for every vulnerability we discover for a number of reasons, and that is why the number of advisories is less than the number of identified vulnerabilities.

A few good examples of a number of 0-day issues Netsparker identified are:

  • Cross-site Scripting vulnerability in the HESK helpdesk software
  • Cross-site Scripting vulnerability in OpenCart
  • DOM XSS vulnerability in WordPress Twenty Fifteen default theme

All of the above vulnerabilities were not previously known, therefore a signature-based scanner would not have warned the user about them.

Using Both Signature-Based and Heuristic Web Vulnerability Scanners

Clearly a heuristic web security scanner can do much more than a signature-based scanner in terms of security but don't write off signature-based scanners either. They also have their advantages.

For example, if you want to scan a WordPress website for known vulnerabilities and security weaknesses, the signature-based scanner WPscan will definitely do a very good job and can deliver the scan results very fast. In such cases, a heuristic scanner is overkill. However, to scan a complex custom application for unknown security bugs, you should use a heuristic web application security scanner.

Vulnerability Web Service Heuristic (computer science) Application security Web application

Published at DZone with permission of Sven Morgenroth, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • 50 Common Java Errors and How to Avoid Them
  • Total Bummer: Pivotal Drops Groovy
  • Back to Basics: Accessing Kubernetes Pods
  • API Security Weekly: Issue 173

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo