Although different, manual and automated penetration testing are not mutually exclusive. Deployed together they can result in effective and efficient coverage of a web application. But what are the advantages and disadvantages of each, and how do both processes work together when testing a web application?
Automated penetration testing makes life easier
As web applications become more advanced, the surface of attack also increases. This means that the number of tests and avenues of exploration that need to be performed also becomes larger. This is the first major advantage of running automated penetration tools, the tool can perform a number of checks faster than a manual test effort by order of magnitude.
For example, if testing for the presence of sensitive files a fuzzing tool can be deployed, with a list of thousands of common file and directory names and it could make requests to all of them within a few seconds, rather than potentially hours when doing it manually.
Using a proxy is important an important tool to use when automating web application penetration testing. The tool allows you to capture and view the requests and traffic that is passed between the user and the web application. Tools like OWASP’s Zed Attack Proxy (ZAP) or PortSwigger’s Burp Suite, which both perform automated passive scanning against all requests. This service can highlight some of the simpler bugs or vulnerabilities that the tester may have overlooked, such as misconfigured security headers or unvalidated redirects.
Automation’s negatives are manual’s positives
The shortcomings of automated testing are the positives of manual testing. An automated tool is only going to be testing for the vulnerabilities that have been included within its database and is at the mercy of the last time it was updated. A manual tester will be constantly furthering their knowledge and pursuing more fine-tuned and project specific bugs.
Due to an automated tool’s limited ability at processing responses or being unable to know the context of a web application’s actions, the tools can highlight a number of false positives. It would not be useful for either developers or stakeholders to receive a boilerplate report produced directly from the results of an automated penetration test; time and unnecessary concern would be wasted on bug reports that aren’t relevant or appropriate.
An automated tool will have no “knowledge” of the application logic, that’s where a manual testers experience can shine through. Having an intimate knowledge of the expected functionality, user-roles, permissions, and business logic allows a tester to think outside of the box; and test for things such as broken access control and elevated privileges.
Automated and manual – working in harmony
The heart of a successful penetration testing project is harmony between the automated and manual test approaches. Automated tools help you to test efficiently performing the time-intense and repetitive tasks, whilst a manual tester can spend their time investigating the results and getting stuck-in with the more divergent attack vectors.