Web applications are popular targets for threat actors; vulnerable applications can offer convenient entry points into an organisation’s network. Because of this, web application security testing is crucial to maintaining a strong security posture.

However, we have noticed some confusion as to whether web application testing can be automated, having received a number of requests for an ‘OWASP Top Ten scan’. Whilst some aspects of web app testing can be automated, we don’t believe a complete test can be delivered by relying on automated methods alone. Read on to understand why and learn more about how web application security testing works.

What is the OWASP Top Ten?

OWASP stands for the Open Web Application Security Project, which is an organisation that sets out best practice guidelines for web application security testing.

The OWASP Top Ten is a list of the most critical security risks to web applications. Although it is by no means exhaustive, the OWASP Top Ten is globally recognised as a useful framework for ensuring web apps are safe from the most exploited security vulnerabilities. Security experts like Rootshell Security can also deliver tests to the full OWASP testing guide as a comprehensive alternative.

How is Web App Security Testing Carried Out?

Carrying out web application security testing in line with OWASP guidelines requires the use of several different testing methods, including automated vulnerability scanning tools and manual techniques.

  • A vulnerability scan is an automated method of web application testing, involving the use of scanning tools to identify web app security issues. It’s rare that a single tool can sufficiently assess all areas of a web application, so testers typically utilise multiple tools to deliver the scan. For example, some automated tools are good at brute-forcing techniques, others at SQL injection techniques.
  • A web application assessment uses manual techniques to try to identify OWASP vulnerabilities. This is a white-box test carried out as an authenticated user (i.e. logged-in), which allows the tester to review session and business logic using multiple user accounts and roles.
  • A web application penetration test is a black-box assessment that utilises the same attack methods as real-world threat actors. A tester will manually attempt to find and exploit vulnerabilities through an uninformed attacker perspective. The aim is to gain unauthorised access to an organisation’s application data and other systems to establish how it could be breached.

Discover Rootshell’s Web Application Security Testing services

Learn More

Below, we have summarised how we utilise these different techniques for each vulnerability of the OWASP Top Ten.

OWASP Top Ten Category Automated Web Application Scan Manual Web Application Assessment Manual Web Application Pen Test
1. Injection Basic detection

Possible false positives

Superfluous output

Manual investigation

Reliable results

Manageable output

Manual exploitation

Detailed analysis

Discrete output

2. Broken Authentication Basic detection Manual investigation Manual exploitation

Detailed analysis

3. Sensitive Data Exposure Basic detection

Possible false positives

Manual investigation

Reliable results

Thorough investigation

Detailed analysis

4. XML External Entities (XXE) Basic detection

Possible false positives

Manual investigation

Reliable results

Manual exploitation

Detailed analysis

5. Broken Access Control Not reliably detectable through automated methods Manual investigation Manual exploitation

Detailed analysis

6. Security Misconfiguration Basic detection

Possible False Positives

Manual investigation

Reliable results

Manual exploitation

Detailed analysis

7. Cross-Site Scripting (XSS) Basic detection

Possible false positives

Superfluous output

Manual investigation

Reliable results

Manageable output

Manual exploitation

Detailed analysis

Discrete output

8. Insecure Deserialization Not reliably detectable through automated methods Manual detection

Manual investigation

Reliable results

Manual exploitation

Detailed analysis

9. Using Components with Known Vulnerabilities Detection Vulnerability assessment

Detailed analysis

Manual exploitation
10. Insufficient Logging & Monitoring Not detectable through external means Not detectable through external means Not detectable through external means

Automated vs Manual Security Testing for Web Applications

As you can see, web app security testing requires a range of techniques to be carried out successfully. Whilst automated scanning has a part to play in web app security testing, it is generally best suited to detecting ‘low hanging fruit’.

One reason for this is that scans are prone to false positives, false negatives, and errors. A scanner may be able to identify an injection flaw with some accuracy, but it’s common that a tester will need to manually check, as tools often don’t pick them up. Also, a scan can only identify that an issue exists; one of the main benefits of manual testing is the ability for a skilled consultant to evaluate the severity of an issue, not just its presence.

In many cases, vulnerabilities require human logic to evaluate, such as broken access controls. In a web application assessment, a tester will assess session logic across a range of user roles to determine whether a user can gain access to information they shouldn’t. This is an essential part of web app security testing, particularly as applications are vulnerable to authorisation bypass attacks, such as privilege escalation. If these parameters are not sufficiently tested and managed, an attacker could steal sensitive information or compromise the entire system. An automated tool simply can’t deliver this level of testing.

Automated scanning also struggles to test applications that require authentication, particularly complex ones. Even if you take a basic example of an insurance quote application, you can imagine the difficultly a scanner would have accurately populating these forms to proceed to the following pages. This could leave an application ‘untested’ due to the scanner’s lack of coverage, with unreported issues. Multistep operations are common in applications and can only be truly assessed manually.

Ultimately, all issues discovered by an automated vulnerability scanner will need to be manually validated and potentially exploited by a skilled consultant, to fully understand the risk and to rule out false positives. This is essential for enabling clients to focus their remediation efforts as part of an effective risk management strategy.

The Best Approach to Web Application Security Testing

There is no one-size-fits-all approach to web application security testing. This is why we advise our clients that an OWASP Top Ten scan is not possible, and to be wary of automated tools that claim to be able to perform such a scan.

OWASP itself stresses the need for a balanced approach, stating that “it is clear that there is no single technique that can be performed to effectively cover all security testing and ensure that all issues have been addressed.”

Instead, working with a security partner who has the expertise to offer both automated and manual web application security testing techniques will provide you with the most effective and reliable assessment to ensure your web app security is upheld.

Looking for web application security testing? Find out more about our services.

Learn More