Wednesday, 3 September 2014

Automation in Testing: Works Or Not?

This is by no means an exhausting written material consisting of long research but rather just something that is my own opinion.

Just a few days ago, I was given a target by a friend to test. To be specific, target happened to be a web application that was actually a shopping site, I was given a single customer account on the website and was supposed to provide a report for all the security findings.

Usually, What I would do is do a thorough scan for reconnaissance and then start attacking the target but since It was middle of the night and I didn't really feel like firing up burp and configuring the proxy to manually test the web application by going through each request and response so, instead I fired up few automation tools for testing web applications. I provided the target and filled in all the details in the tools required to do their so called complete test and went to sleep for 7-8 hours(I guess). In the morning, It was more like Afternoon, I woke up and checked up on the scanners that I left running but what I found was that the scanners didn't find anything except things like "The site doesn't have SSL", and "Information in the headers could be useful", and I was like whaaat?? I told myself that there had to be parameters vulnerable to injections and this is just crazy.

 I didn't waste a second since I had to provide the report in due time and configured my browser with burp. I started looking at the requests and responses coming from the target's server and It didn't take me more than 30 minutes to find out that the search bar in the web application didn't properly encode the input that was provided and hence It lead to "Reflected aka Non-Persistent Cross Site Scripting" vulnerability and just a little later I found another vulnerability of SQL Injection in one of the product parameters.

Penetration Testing using automation tools in my opinion is something throwing stones in the dark hoping to hit a target but It doesn't necessarily mean that they don't work. Automation is pretty necessary when It comes to penetration testing in real time, you wouldn't want to look through thousands of requests and responses and manually inspecting each one of them, would you? But It's not a good practice to just keep trusting what these automation tools give you.

1 comment:

  1. Your Article is very interesting, I am a Pentester myself and face the same issue. What i have discovered while doing a automated scan is i only look for vulnerability which are HIGH and ignore all the rest, Automated reports can be given to clients for their future reference however the vulnerability you can find manually specifically in web application cannot always be done with automated tools, When i am scanning i usually fire up 3-4 automated tools on a vm and forget them for atleast a day on the other hand i am looking for interesting thing from Google , manually crawling the website, end up with very good result.

    Best of luck Amin with your website hope to see more articles and your experiences .

    Best Regards