Software security testing is used to identify vulnerabilities in an application such as a Web application. Traditional black-box security testing for Web-based software works by using a security testing application, often referred to as a scanner, which poses as an attacker. In a black-box approach, the scanner explores an Application Under Test (AUT) by making HTTP requests and evaluating the HTTP responses in order to find all of the URLs where the AUT accepts input. The URLs where the AUT accepts input may be referred to the attack surface of the AUT. The scanner then creates attacks based on the attack surface and likely categories of vulnerabilities. The scanner applies the attacks to diagnose the presence or absence of vulnerabilities by evaluating the program's HTTP responses. In a black-box approach, the scanner does not have any insight into the internal workings of the AUT.
Black-box vulnerability testing is straightforward in concept, but in practice it presents a number of challenges. For example, exploring the AUT might not reveal all of the attack surface, so the scanner might not launch attacks against all of the places where the AUT is vulnerable. Additionally, some vulnerabilities cannot be accurately identified through the information returned in the HTTP response. If the scanner does discover a vulnerability, the scanner cannot provide information about where the vulnerability is inside the code of the AUT. Furthermore, the scanner may report several vulnerabilities that are all related to the same underlying problem in the AUT, causing a programmer trying to fix the vulnerabilities to carry out a great deal of repetitive work.