Invasive vs. non invasive web application security scan

When evaluating an automated web application security tool, such as Acunetix WVS, the first two questions that typically one would ask are “Does this tool perform an invasive scan or not?”, “Will it damage my website?” Many people ask this question since it is of a common occurrence that after scanning their website or web applications with a typical automated black box scanner, the tendency is that they get flooded with garbage emails, or non sense posts and comments on web 2.0 web applications, such as a blog. Even worse, if the automated scanner is configured and or given access to a database driven CMS administrator interface, the chances that you end up with garbage data in the database, deleted records and a non functional web application are very high.

Why does it happen?
Automated web application security tools and scanners are designed to send data that the target cannot handle, in this case a website or a web application. In reality though, the automated scanner is only following a number of links and forms (e.g. a link in an administrator interface could lead to a deletion of a database record) and trying to submit bogus data, of which the end result could lead to vulnerability. This is why it is always important to launch such scans against test environments. If a test environment is not available, make sure to backup all your data and that you can restore it quickly before launching an automated scan, unless you want to spend a couple of sleepless nights.

What does a non invasive scan do?
There are automated scanners that have settings, or scanning profiles which help you launch a non invasive scan against your target. Though don’t be fooled by the ‘non invasive scan’ term. A non invasive scan will only tickle your website or web application, and will not dig deep enough to check for real security issues. E.g. a non invasive scan will not launch parameter manipulation tests, such as SQL Injection and XSS attacks (invasive security checks), which as we’ve seen in the last 5 years, they are two of the major web applications security treats. A non invasive scan will only launch some very basic “security” checks against the target, such as text searches, file checks, version checks and some other basic checks, which typically do not lead a malicious user to a website or web application defacement.

Therefore, as you might have already concluded for yourself, a non-invasive scan is more of a marketing term used from software companies to help them sell more, than an actual useful security feature. What is the use of running a non-invasive scan against a web application if the scope of the scan is to properly secure a web application?

Don't miss