With a pentest, we carry out both manual and automated tests. Besides the use of renowned security tooling to support research, our researchers focus on manual test methods. This is because automated scans have inherently many limitations. For example, an automatic scan can often not interpret the results found, which a security expert can do. Other limitations of automatic scans include:Our researchers focus on manual testing methods during the pentests. This is because automated scans inherently have many limitations. For example, an automatic scan can often not interpret the results found, which a security expert is able to do. Other limitations of automatic scans include:
- Differences between web applications: an automated scan tool is typically able to find many vulnerabilities in popular products (such as Drupal, WordPress, Magento), since a vulnerability would have a great impact for all its users. Custom products are less likely to have automated scan tools built for them that are able to find existing vulnerabilities in the product.
- Syntax and semantics: automated scan tools are able to understand the syntax, or technical meaning, of every vulnerability that is found, but not its semantics, or rather the importance of such a vulnerability. For example, in a shopping cart, being able to modify the delivery date of the product to a date in the past is relatively harmless, but being able to modify the price of a product is a serious security flaw. An automated scan tool is not able to interpret the difference in semantics.
- Improvisation: the use of custom communication elements between website and server often indicates that there is a chance of a possible security breach. Automatic scan tools are unable to improvise and use these indications to investigate whether there is actually a security vulnerability. Nor can they circumvent security measures that, for example, are primarily aimed at stopping the scanning tools themselves rather than at addressing the vulnerability itself.
- Intuition: An automated scan’s way of operating is largely to attempt every attack against every part of the website, a so-called brute force way of scanning. However, some vulnerabilities require intuition and manual inspection in order to be discovered. Some examples include attacks where input needs to be crafted in a specific way, or where specific input needs to be inserted in specific sequence.