When evaluating an automated web application security tool, such as Acunetix WVS, the most common questions one would ask are “Does this tool perform invasive scans?”, or “Will it damage my website?”. Similar questions are common since black box scanners tend to cause email floods, as well as publishing of garbage blog posts and comments on blogs. If the automated scanner is configured to access a database-driven CMS administrator interface, the chances of garbage data being injected into the database or — even worse — records being deleted and damaging a live web application, are indeed very high.
Why does it happen?
Automated web application security scanners are designed to send data that the target web application cannot handle. In reality though, the automated scanner is only following a number of links and forms (e.g. a link in an administrator interface could lead to a deletion of a database record) and trying to submit bogus data, of which the end result could lead to vulnerability. This is why it is always important to launch such scans against test or simulated environments. If a test environment is not available, make sure to backup all your data before launching any scans so that it can be restored quickly should anything go wrong, unless you want to spend a couple of sleepless nights trying to repair everything piece by piece.
So, what does a non invasive scan do?
Some automated scanners include settings — or scanning profiles — designed to help you launch a non invasive scan against your target; but don’t be fooled by the ‘non-invasive scan’ term. A non-invasive scan will only tickle your website or web application, and will not dig deep enough to check for real security issues. E.g. a non invasive scan will not launch parameter manipulation tests, such as SQL Injection and XSS attacks (invasive security checks), which as we’ve seen in the last 5 years are two of the major web applications security treats. A non-invasive scan will only launch some very basic “security” checks against the target, such as text searches, file checks, version checks and some other basic tests, which typically do not lead to a malicious defacement of the site or web application.
Therefore, as you might have already concluded for yourself, a non-invasive scan is more of a marketing term used by software companies to sell their products with a sense of false security, than an actual useful security feature. What use is there in running a non-invasive scan against a web application if the final goal of the scan is to properly secure a web application?