What is Website Scanning?
Also known as web application scanning, or dynamic application security testing. Website scanning is a series of automations that communicate with a website to identify potential security vulnerabilities. Different from a static analysis, our website scan will simulate actual attacks against the website.
How it works
During this black box test, the scanner is attempting to detect vulnerabilities in query strings, headers, fragments, verbs (GET/POST/PUT) and DOM injection. These methods allow the scanner to identify architectural weaknesses in a website.
The website scan is looking for the most common, and dangerous, web application vulnerabilities. The vulnerability detections used by our website scanning service rely on the OWASP Top 10 and the WASC Threat Classification as primary references.
The vulnerabilities we test for do not always refer to an item on the Top 10 list but most of them are related. Website scanning also includes vulnerability IDs that represent vulnerabilities not explicitly covered by the OWASP Top 10 but never the less pose a risk for web applications.
The website scan is designed to focus on problems that can be reliably automated, identified accurately, and lead to actionable results. The underlying engine is typically updated six to eight times a year and its payload/signature sets may be updated on a daily basis. These approaches allows the TrustedSite website scanning service to respond quickly as new vulnerabilities emerge, current vulnerability detections are refined, or if false positives are reported from the field.
Top 10 Website Vulnerabilities
- A1 | Injection
- A2 | Broken Authentication
- A3 | Cross-Site Scripting (XSS)
- A4 | Insecure Direct Object References
- A5 | Security Misconfiguration
- A6 | Sensitive Data Exposure
- A7 | Missing Function Level Access Control
- A8 | Cross-Site Request Forgery (CSRF)
- A9 | Using Components with Known Vulnerabilities
- A10 | Unvalidated Redirects and Forwards