Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures – almost like an anti-virus. In this document, I’ll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities.
James Kettle of Portswigger (@albinowax) just did something that hasn’t happened in a long time. He added new web assessment automation functionality that significantly emulates (and benefits) manual testers.
It’s early, but extremely exciting.
You should read the whole post (link above), but the basic idea is that most scanners have only one phase: you send a static input, you get back a response, and that response either matches a certain criteria or not.
James’ new approach, which I presume is going to be part of Burp going forward, is to have that become a multi-step process, i.e. to follow up on what comes back with further probes.
Ultimately, what this allows him to produce is a rating similar to what a manual tester would get after LOTS of work, which is an idea of whether something is likely to be a goose chase or fertile ground.
I think this is one of the best innovations in automated web testing in the last five or ten years.
Well done James, and well done Portswigger.