Evaluating a web vulnerability scanner is not the easiest of tasks. With a multitude of open source and commercial products to choose from, all promising to provide the best of breed scanning functionality, choosing the right web vulnerability scanner is a tough, albeit important decision. In this article, we provide a checklist of things that you should consider when choosing your web vulnerability scanner.

Ease of Use

Web vulnerability scanning is already a difficult topic. While most (hopefully) understand the basics, such as SQL Injection and XSS, not all are experts in operating a web vulnerability scanner. Ideally, most of your time should be spent fixing the vulnerabilities identified by the scanner, rather than figuring out how to operate the scanner.

Broad set of security tests

The web vulnerability scanner should be able to identify more than a few web vulnerabilities. While most scanners are able to identify the basic and most common, the scanner of your choice should be able to identify vulnerabilities that are less widespread too.

Vulnerability variations

Apart from being able to identify a wide range of vulnerabilities, a good vulnerability scanner should be able to check for and report on all the variations of the vulnerabilities detected. Take a Cross Site Scripting (XSS) vulnerability as an example, a web developer might fix the simple version of the vulnerability, but might fail to address the vulnerability when the XSS payload is encoded.

Coverage of Web Technologies

The first step in a vulnerability scan is to crawl the web application. The crawling process will identify all the pages, forms and elements that make up the web application. With the industry pushing for more dynamic web applications, this task is not as simple as it might seem; especially since most web applications make heavy use of JavaScript, HTML5, frameworks such as Google Web Toolkit, Single Page applications and other cutting edge web technologies.

Keeping in mind that a web vulnerability scanner can only scan the pages and elements that are identified at the crawl stage, you should choose a web vulnerability scanner that is able to understand the web technologies used in your web applications, and that the scanner is updated frequently to be able to crawl new technologies moving forward.

Intelligent Scanning

The checks done by various web vulnerability scanners can be defined as isolated, meaning that the scanner will run each check against the web application in isolation from the other checks. Ideally, the results of one check are used as input for other checks.

To give a simple example, a web vulnerability scan might identify email addresses during the scan. Ideally, these email addresses are used during the scan, such as in the login forms of the web application. To give another example, if the web application scanner identifies a developer application, such as a Version Control directory (e.g. GIT or SVN), the web application will try to parse the contents of this application too, as these usually contain confidential information.

Coverage of Content Management Systems

Most organisations use Content Management Systems (CMS) to create content on the site as frequently as needed. Common content management systems include WordPress, Joomla, and Drupal, all of which include their own set of vulnerabilities. You are probably using one of these, thus your web vulnerability scanner should check these for configuration errors and vulnerabilities in these systems too.

Support for Mobile Friendly Web Apps

Most web applications implement a mobile friendly version which is loaded automatically on smartphones and tablets. These often provide the same functionality as the main site, and therefore might be just as vulnerable. Ensure that your web vulnerability scanner is able to scan your mobile friendly site too.

Grey box testing

Most web vulnerability scanners provide black box testing, since they can scan a web site without getting access to the code on the web server. Grey box testing is the ability to install an agent in the web application which interacts with the main scanner during the scan.

Grey box testing enhances the scan results by ensuring complete coverage of the web application and allows the scanner to detect more vulnerabilities, decreases false positives by providing additional validation on the vulnerabilities detected and enhances scan results by providing more information on the vulnerabilities detected, such as the line in the back-end source code where the vulnerabilities lies, or the SQL statement in an SQL Injection vulnerability.

Manual testing tools

A web vulnerability scan does not stop when the automated scan is done.  In most situations, you will then need to verify some of the vulnerabilities detected by the scanner. Ideally a web vulnerability scanner provides tools that are integrated in the product, and allows you to easily reuse vulnerability details in the manual testing tools provided.

Beware of empty claims

While most web vulnerability scanners are genuine, and work very well in the right hands, you need to be vigilant on scanners making empty claims. A common misconception is that a web vulnerability scanner should produce zero false positives. While a web vulnerability scan which includes many false positives is useless, the fact is that some web vulnerabilities cannot be detected with 100% certainty. So a web vulnerability scanner claiming 0 false positives is either not showing that more testing is needed on such vulnerabilities, or not showing them at all.

Acunetix Web Vulnerability Scanner is celebrating its 10th birthday in 2015, meaning it has been constantly developed and refined for a decade, making it one of the leading web app scanners on the market.

Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.