The Advantage of Heuristic Over Signature Based Web Vulnerability Scanners

This article explains how both the heuristic and signature based web application security scanners work. It also explains the pros and cons of both types of scanners.

There are two different kinds of web application vulnerability scanners; heuristic and signature based scanners. This article explains how both types of scanners work and what type of vulnerabilities they can find in web applications.

How Do Signature Based Web Application Security Scanners Work?

Signature based scanners rely on a database of signatures for known vulnerabilities. Therefore for a scanner to recognize a vulnerability, a signature for that specific vulnerability has to be added to its database first.

This means that these scanners need to be updated regularly, because an update is released every time a new vulnerability is found in a specific web application. Usually, signature based scanners do not run any additional security checks to determine whether or not the detected vulnerability is exploitable. Their checks rely only on a number of non reliable criteria, such as the version details and numbers of the target web application, file paths and directory structures etc.

This means that signature based web security scanners are more prone to reporting false positive vulnerabilities. For example, if a patch is applied manually to a web application without changing the version file, a signature based scanner will report a false positive. This also means that signature based scanners can only scan known and off-the-shelf web applications such as WordPress, Joomla! and Drupal.

A popular signature based scanner is WPScan, which scans WordPress websites and its plugins and themes for known vulnerabilities. Another popular signature based scanner is Nikto, which scans for server misconfigurations and dangerous files.

How Do Heuristic Web Application Security Scanners Work?

Heuristic web vulnerability scanners do not need a database to detect vulnerabilities. They do not rely on signatures of already discovered security bugs. They are able to determine if a web application is vulnerable by actively probing for vulnerability classes, such as cross-site scripting (XSS) and SQL injection vulnerabilities.

This means that heuristic web vulnerability scanners are able to find 0-day vulnerabilities in a web application, unlike signature based scanners. And heuristic web application security scanners do not need to be updated as often as signature based ones and can scan and find vulnerabilities in any type of off-the-shelf and custom built web applications and web services.

Netsparker, our dead accurate web application security scanner is a heuristic scanner.

Examples of 0-day Vulnerability Identified by a Heuristic Web Vulnerability Scanner

As part of our regular testing of the Netsparker web application scanner, we scan an ever changing list of open source web applications. In the last few years, Netsparker identified thousands of zero-day vulnerabilities in such web applications, and as of today, we have published over 150 advisories. We do not publish an advisory for every vulnerability we discover because of a number of reasons, and that is why the number of advisories is less than the number of identified vulnerabilities.

A few good examples of a number of 0-day issues Netsparker identified are:

All of the above vulnerabilities were not previously known, therefore a signature based scanner would not have warned the user about them.

Using Both Signature Based & Heuristic Web Vulnerability Scanners

Clearly a heuristic web security scanner can do much more than a signature based scanner in terms of security, but don’t sign off signature based scanners either. They also have their advantages.

For example, if you want to scan a WordPress website for known vulnerabilities and security weaknesses, the signature based scanner WPscan will definitely do a very good job and can deliver the scan results very fast. In such cases, a heuristic scanner is an overkill. However, to scan a complex custom application for unknown security bugs, you should use a heuristic web application security scanner such as Netsparker.

Sven Morgenroth

About the Author

Sven Morgenroth - Senior Security Engineer