Web vulnerabilities can be split into two distinct groups; Technical Vulnerabilities and Logical Vulnerabilities. Technical vulnerabilities can be found by using automated processes, such as scanning a website with a web vulnerability scanner. On the other hand, logical vulnerabilities can only be detected manually. This article explains the difference between technical and logical web vulnerabilities and what to look for to detect both when running a penetration test against a web application.
Technical Vulnerabilities originate from the technical content of the website. This can be affected by the developing language used, the development practices, type of database used, structure of the database etc.
A popular technical web vulnerability is SQL Injection. This vulnerability can be exploited by sending a non-sanitized request to a web-form or web parameter. The response received from the web application will include an error, such as an SQL or ODBC error, indicating that the form or parameter are vulnerable to SQL injection.
Automated web scanners can find SQL injections in web applications, since SQL Injection vulnerability can be easily detected using the web application's response. A web vulnerability scanner makes predefined HTTP requests and analyses the responses for errors indicating the possibility of an SQL Injection vulnerability.
Since the requests which cause SQL Injection can be predefined and the responses indicating an SQL Injection vulnerability can be predicted, SQL Injection can be detected automatically using a web vulnerability scanner. Another common technical vulnerability that can be detected automatically is Cross-Site Scripting (XSS).
In reality, the auto-detection of such vulnerabilities (including all their variants) is easier said than done. Advanced web vulnerability scanners such as Acunetix WVS go an extra mile to ensure that there are no false positives in web security scan results.
Technical vulnerabilities are the result of bad coding practices, insecure coding and mistakes in the code itself. In the case of SQL injection and Cross Site Scripting, the web developer is not handling properly and sanitizing the input submitted by the website visitor before sending it to the database. Therefore the website visitor is able to inject SQL statement in a website input and have it executed to retrieve any data from the SQL database behind the website.
Logical vulnerabilities are problems in the logic of the web application rather than a problem in the source code. Logical vulnerabilities can be just as devastating for a web application. To demonstrate a logical vulnerability, I am going to purchase 2 concert tickets from an online ticket system. After I choose my favorite band, venue location and number of tickets, before I enter the credit card details the URL in the browser shows the following:
For an automated scanner, the above means that final.asp accepts three input parameters, and will proceed to try and inject all three, automatically crafting a list of web attacks to check if final.asp is secure.This might be able to identify various Technical Vulnerabilities as the ones explained previously.
However, in this case, an automated scanner would not be able to determine that the real meaning of the parameters being passed in the URL, which in this case refer to the concert identification number, the number of tickets being purchased and the price of the transaction. What if we manually alter the URL to the following:
Will the web application accept the request with the new price? Will it still ship the tickets and only charge my credit card €1 or will it deny the request? An automated scanner can still make such changes and manipulate URLs, but will not be able to determine if there is a problem with the logic of the web application; the user is able to get the product at a much lower price.
One might have the wrong presumption that such logical vulnerabilities are not a common occurrence. Not so long ago, an online advertisement company offered $50 worth of free adverts to new subscribers who purchase $50 or more worth of advertising. The system had a flaw in its design. When a new subscriber registers, even if the subscriber does not purchase anything, he or she will still get $50 worth of advertising for free. Thus the web application had a huge flaw and the business was losing a lot of money.
Finding Both Technical and Logical Vulnerabilities
Modern web vulnerability scanners are getting better and better in detecting technical web application vulnerabilities and reporting less false positives. Unfortunately though not everything can be automated and web vulnerability scanners can never find logical vulnerabilities, like the ones explained above.
That is why you have to buy a complete web security toolbox such as Acunetix WVS rather than just an automated scanner. Acunetix WVS has a number of advanced penetration testing tools that will ease the process of manual penetration testing. Securing a website is not just about launching an automated scan, but it is a whole procedure as documented in A complete guide to securing a website.