A vulnerability scanner is a tool used to find and exploit website’s security issues. Organizations perform penetration testing using vulnerability scanners against a web pages functionality before they are deployed. If vulnerabilities are found, they will be fixed before the web pages go live.
They can also be used by hackers in finding vulnerabilities in websites often caused by new technology updates. These scanners are automated bots and are constantly running all over the internet looking for vulnerabilities to exploit.
Characteristics of a Vulnerability Scanner
Hackers don’t have a roadmap to their victims. They use vulnerability scanners to help create the roadmap of areas to exploit. Many vulnerability scanners are tools that are free to download, while others are expensive to purchase. Some perform tasks with more efficiency than others. But overall, the high-level profile of a vulnerability scanning tool is the same:
- Automated tool – They are effectively an automated bad bot on your website.
- They are very noisy – Typically hit every page or directory, and can’t discriminate between pages.
- Systematically process pages – They go through a site unlike a typical human user so their path through the website is not normal.
- Not a browser – Don’t typically run on browsers, usually don’t accept Javascript
- Browser automation tool – Can run in browser automation tool like Selenium, PhantomJS
- Access all code – Indiscriminately hit everything on page even deceptive links/code/forms
- Too Targeted – A random single request to one particular area of the site might be a probe for just one weakness.