Software (or application) security testing is used to assess an application such as a web application for vulnerabilities or attack vectors. One approach to software security testing is referred to as black-box security testing. Black-box security testing for web applications involves using a security testing application (or scanner) which simulates an attacker. Under the black-box security testing approach, the scanner does not have insight about the internal workings of the application. The scanner explores an application (for example, a web application), which can also be referred to as an application under test, by making Hypertext Transfer Protocol (HTTP) requests and evaluating HTTP responses from the application (or from an application server hosting the application on behalf of the application) to identify the attack surface of the application (e.g., Uniform Resource Identifiers (URIs) such as Uniform Resource Locators (URLs) at which the application accepts input).
Another approach to software security testing is referred to as white-box security testing. Under the white-box security testing approach, the scanner is provided with information about the internal workings of the application. For example, information about the attack surface and the internal processing of the application can be extracted from technical information such as design documentation or the source code of the application and included in the logic of the scanner before a security test begins. Such a scanner can perform security testing of an application using the information about the internal workings and attack surface of the application.
Under either approach, the scanner executes attacks against the application based on the attack surface. For example, a scanner can provide HTTP requests directed to URIs at which the application accepts input that are particularly crafted to (e.g., include attack data sets to) test for attack vectors such as memory buffer overflows, Structured Query Language (SQL) injection, privilege elevation, and arbitrary code execution, for example. Additionally, the scanner can diagnose the presence or absence of vulnerabilities by evaluating HTTP responses from the application.