Heuristic vs Signature-Based Web Vulnerability Scanners

There are two different kinds of web application vulnerability scanners: heuristic and signature-based scanners. This article explains how both types of scanners work and what type of vulnerabilities they can find in web applications.

How Do Signature-Based Web Application Security Scanners Work?

Signature-based scanners rely on a database of signatures for known vulnerabilities. Therefore, for a scanner to recognize a vulnerability, a signature for that specific vulnerability has to be added to its database first.

This means that these scanners need to be updated regularly because an update is released every time a new vulnerability is found in a specific web application. Usually, signature-based scanners do not run any additional security checks to determine whether or not the detected vulnerability is exploitable. Their checks rely only on a number of non-reliable criteria, such as the version details and numbers of the target web application, file paths, and directory structures, etc.

This means that signature-based web security scanners are more prone to reporting false positive vulnerabilities. For example, if a patch is applied manually to a web application without changing the version file, a signature-based scanner will report a false positive. This also means that signature-based scanners can only scan known and off-the-shelf web applications such as WordPress, Joomla!, and Drupal.

A popular signature-based scanner is WPScan, which scans WordPress websites and its plugins and themes for known vulnerabilities. Another popular signature-based scanner is Nikto, which scans for server misconfigurations and dangerous files.

How Do Heuristic Web Application Security Scanners Work?

Heuristic web vulnerability scanners do not need a database to detect vulnerabilities. They do not rely on signatures of already discovered security bugs. They are able to determine if a web application is vulnerable by actively probing for vulnerability classes, such as Cross-site Scripting (XSS) and SQL Injection vulnerabilities.

This means that heuristic web vulnerability scanners are able to find 0-day vulnerabilities in a web application, unlike signature-based scanners. And heuristic web application security scanners do not need to be updated as often as signature-based ones and can scan and find vulnerabilities in any type of off-the-shelf and custom-built web applications and web services.

Examples of 0-Day Vulnerabilities Identified by a Heuristic Web Vulnerability Scanner

As part of our regular testing of the Netsparker web application scanner, we scan an ever-changing list of open source web applications. In the last few years, we have identified thousands of zero-day vulnerabilities in such web applications, and as of today, we have published over 150 advisories. We do not publish an advisory for every vulnerability we discover for a number of reasons, and that is why the number of advisories is less than the number of identified vulnerabilities.

A few good examples of a number of 0-day issues Netsparker identified are:

• Cross-site Scripting vulnerability in the HESK helpdesk software
• Cross-site Scripting vulnerability in OpenCart
• DOM XSS vulnerability in WordPress Twenty Fifteen default theme

All of the above vulnerabilities were not previously known, therefore a signature-based scanner would not have warned the user about them.

Using Both Signature-Based and Heuristic Web Vulnerability Scanners

Clearly a heuristic web security scanner can do much more than a signature-based scanner in terms of security but don't write off signature-based scanners either. They also have their advantages.

For example, if you want to scan a WordPress website for known vulnerabilities and security weaknesses, the signature-based scanner WPscan will definitely do a very good job and can deliver the scan results very fast. In such cases, a heuristic scanner is overkill. However, to scan a complex custom application for unknown security bugs, you should use a heuristic web application security scanner.