Testing using fully automated tools is one of the elementary methods of security verification. This type of testing is very fast and consequently cost-effective. When executed, an automated tool first identifies the technologies deployed for better targeting and to minimize the number of test cases. It then maps the test target to detect all components and find all inputs. In the final phase, specific tests are performed on all inputs, accompanied by checking the target's responses, to detect any vulnerabilities.
Upon completion, a fully automated tool will provide a list of vulnerabilities found. However, it often lacks the capability to specify which components have been tested and the corresponding tests performed on them. Consequently, the resulting list of actions, if any, becomes cluttered and impractical to navigate.
It is important to be aware that fully automated testing tools have limitations and cannot identify all vulnerabilities, potentially leading to a false sense of security. The following list presents several types of vulnerabilities that automated tools are unable to detect:
- Vulnerabilities that occur outside the scope of the tested input
- Vulnerabilities in business logic
- Vulnerabilities that manifest only with specific combinations of values across multiple inputs
Furthermore, automated tools may generate a significant number of false positives.
To ensure a higher level of security, it is recommended not to rely solely on automated tools. Manual penetration tests should be conducted, or a combination of automated and manual testing using the Penterep platform can be employed.