The DAST vulnerability scanner is not much different from a virus scanner. In either case, the goal of the software is to find something out of the ordinary in the target. Virus scanners scan your computer’s local resources and storage for potentially malicious software. Vulnerability scanners scan some sort of target for potentially vulnerable software. Both use similar techniques to do so.
Signature-based scanning
For signature-based scanning, the scanner looks for recognizable patterns prepared by the scanner manufacturer or pulled from public databases. for example:
- Virus scanners look for specific byte chains in malicious executable files. If it finds that byte chain, it assumes that a malicious file has been found.
- Network scanners look for specific responses from the server to determine the exact version of the software the server is using. It can be as simple as software actually responding with version information, or it can be more complex, such as recognizing certain common behaviors.
- The SCA scanner finds specific elements of code in source code, intermediate code, or binary code to recognize known components and their exact versions used/imported by the software.
Signature-based scanning has several advantages:
- It’s usually very fast, since you don’t need to do anything other than compare the scanner library’s byte chain to the byte chain received from the target.
- It is less disruptive and has few side effects.
- It’s very easy for scanner manufacturers because you don’t have to write any custom code. There is also a public domain signature database that you can use to build your own database.
Unfortunately, even this type of scan has some major drawbacks.
- It’s not always accurate. A signature does not guarantee that the result found is malicious.
- There is absolutely no evidence that the reported results are malicious. The scanner only compares the signatures, so it doesn’t test whether the assumption is true.
- Most scanners are limited to known signatures and cannot recognize mutations (eg signatures from different bytes), irregularities (eg differently configured servers), or new threats.
Behavior-based scanning (heuristic scanning)
Another way to detect malicious content is to actually analyze the target’s behavior. This means that the scanner must understand how the target works, rather than comparing signatures. for example:
- When the heuristic virus scanner finds a potentially executable file, it performs reverse engineering to determine exactly what the code is doing (to determine if that action is malicious). You might want to run your code in a safe environment to see the results.
- When a web vulnerability scanner finds an element that accepts user input, it attempts to “deceive its target” by sending unexpected data. It then analyzes the target’s response to determine whether it was successful or not.
Heuristic scanning has several key advantages:
- In theory, you can find all kinds of threats, be it custom threats or zero-day threats. Obviously, it depends on how advanced the software is.
- It is more accurate because it actually checks if the assumption is correct. Sometimes you can even provide evidence.
Unfortunately, heuristic scanning also has some drawbacks.
- It can require significantly more resources than signature-based searches. Heuristic scanners require more time to find results and may target slower than signature-based scanners.
- Building a good heuristic scanner is very difficult and requires the best talent. Unlike signature-based scanners, every new type of attack requires programming and simulation. The heuristic scanner library is not just a list of strings to compare, but a real custom software for any type of check.
the best of both worlds
Many professional scanners try to use both types of scans, but the basic types vary greatly depending on the type of scan being performed.
- Virus scanners are almost always primarily signature-based. Some advanced virus scanners also have behavior-based scanning, but they are often optional (as these scans require more time and resources).
- Network scanners are almost always signature-based. This is because network scanners use signatures to focus on finding outdated software versions and misconfigurations that can be easily recognized.
- Web vulnerability scanners are always primarily heuristic, but can use signatures when appropriate.
Acunetix combines the best of both worlds in the best way possible.
- Acunetix scanners are primarily behavior-based scanners. All of our advanced checks are individually designed and perform safe (mock) attacks. Not only that – in most cases, it can also prove that the attack was successful by showing files that the scanner should not have access to (eg server configuration files). This is a unique feature that most scanners do not have.
- Not only does the scanner provide SCA functionality, it also checks for things like outdated software versions, so it also uses some signature-based checks when applicable and when no custom code is required. So the scan on the target is faster and less intense. Acunetix is often recognized as the most efficient scanner on the market.
- Acunetix overcomes the limitations of signature-based scanning and instead of using hash-based signatures, Acunetix can recognize many vulnerabilities, even if the code or response is slightly modified.
- Our scanners also combine the advantages of signature-based scanning with those of active scanning, sometimes even within the same vulnerability scan. For example, if a software version can be determined by a signature-based scan, the actual vulnerability scan for that software can take into account the version found and optimize testing accordingly. This makes vulnerability scanning faster as well as more reliable.
Despite the fact that many of the vulnerabilities discovered by Acunetix are identified as CVE/CWE codes, we do not use such databases for any purpose other than identifying known vulnerabilities. A key strength of Acunetix is that it can find unrecognized problems in any database, so vulnerabilities in custom software do not have such code.
Get the latest content on web security
It’s in your inbox every week.
author
Senior Technical Content Writer
Tomasz Andrzej Nidecki (aka tonid) is Invicti’s leading cybersecurity writer with a focus on Acunetix. A journalist, translator and tech writer with 25 years of IT experience, Tomasz initially served as editor-in-chief of hakin9 IT Security magazine and ran a major tech blog specializing in email security.