DAST vulnerability scanners are not that different from virus scanners. In both cases, the goal of the software is to find something out of the ordinary in the target. A virus scanner scans a computer’s local resources and storage to find potentially malicious software. A vulnerability scanner scans some kind of target to find potentially vulnerable software. Both use similar techniques to do so.

Signature-based scanning

In the case of signature-based scanning, the scanner looks for recognizable patterns, which are either prepared by the manufacturer of the scanner or taken from a public database. For example:

  • A virus scanner looks for a certain chain of bytes that are present in a malicious executable file. If it finds that chain of bytes, it assumes that the malicious file has been found.
  • A network scanner looks for a certain response from the server to recognize the exact version of the software that the server uses. It may be as simple as the software actually responding with version information or more complex, for example, recognizing certain typical behavior.
  • An SCA scanner looks for certain elements of code in source code, intermediate code, or binary code to recognize a known component that is being used/imported by the software as well as its exact version.

There are several advantages to signature-based scanning:

  • It is usually quite fast because no operations need to be performed except comparing chains of bytes from the scanner library with chains of bytes received from the target.
  • It is less intrusive and has nearly no side effects.
  • It is very easy for the scanner manufacturer because there is no need to write custom code. There are also public domain signature databases, which can be used to build their own database.

Unfortunately, there are some major disadvantages to this type of scanning, too:

  • It is not always very precise. The signature does not guarantee that the result found is malicious.
  • There is absolutely no proof that the reported result is malicious. Since the scanner only compares signatures, it does not test whether its assumptions are true.
  • Most scanners are limited to known signatures and are unable to recognize mutations (for example, a signature with one different byte), irregularities (for example, a differently configured server), or new threats.

Behavior-based scanning (heuristic scanning)

The other way to scan for malicious content is by actually analyzing the behavior of the target. This means that the scanner needs to understand the way that the target works, not just compare a signature. For example:

  • When a heuristic virus scanner finds a potentially executable file, it may perform reverse engineering on it to check exactly what the code does (to check whether its actions are malicious). It may also try to execute the code in a safe environment to see the results.
  • When a web vulnerability scanner finds an element that allows user input, it tries to “trick the target” by sending unexpected data. It then analyzes the response of the target to see whether it succeeded.

Heuristic scanning has some major advantages:

  • Theoretically, it’s able to find any kind of threat, even a custom one or a zero-day one. Obviously, that depends on how advanced the software is.
  • It’s more precise because it actually checks whether its assumptions are correct. Sometimes, it can even provide proof.

Unfortunately, heuristic scanning has some disadvantages, too:

  • You may find it much more resource-intensive than signature-based scanning. A heuristic scanner needs more time to find results, and it may slow down the target more than a signature-based scanner.
  • Building a good heuristic scanner is very difficult and requires top talent. Unlike with signature-based scanners, every new type of attack has to be programmed and simulated. A heuristic scanner library is not just a list of strings to compare – it requires actual custom software for every type of check.

The best of both worlds

Many professional scanners attempt to use both types of scanning but the primary type greatly depends on the type of scans performed:

  • Virus scanners are almost always primarily signature-based. Some advanced virus scanners have behavior-based scanning, too, but it is often optional (because such scans take more time and resources).
  • Network scanners are almost always signature-based. This is because network scanners focus on finding outdated software versions and misconfigurations, which can be easily recognized using signatures.
  • Web vulnerability scanners are always primarily heuristic but may use signatures where appropriate.

We at Acunetix marry the best of both worlds in the best way possible:

  • The Acunetix scanner is primarily a behavior-based scanner. Our advanced checks are all designed individually and perform safe (mock) attacks. Not only that – in most cases, we can even prove that the attack was successful by showing you, for example, a file that the scanner should never have access to (like your server configuration file). This is a unique ability that most scanners don’t have.
  • Since our scanner also checks for things such as outdated software versions as well as provides SCA functionality, we use some signature-based checks, too, where applicable and where no custom code is needed. This makes scanning faster and less intense on the target – Acunetix is often recognized to be the most efficient scanner on the market.
  • Acunetix goes around the limitations of signature-based scanning, and instead of using hash-based signatures, it can recognize many vulnerabilities even if the code or the response were slightly modified.
  • Our scanner also combines the advantages of signature-based scanning with those of active scanning, sometimes even within the same vulnerability check. For example, if we are able to determine a software version through signature-based scanning, our actual vulnerability check for that software may take the found version into consideration and optimize the test accordingly. This makes the vulnerability check not only faster but also more reliable.

Note that despite the fact that many vulnerabilities found by Acunetix are identified with CVE/CWE codes, we don’t use such databases for anything other than the identification of known vulnerabilities. Vulnerabilities in custom software will not have such codes because the core strength of Acunetix is that it is able to find issues that are not recognized in any database.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.