What would be the best practise to do a Web Vulnerability Assessment?
Given a site without any fuctionality on the main page, except a login box and a button to access the features, would it be better just to do a Web VA on the outside, or it would be best to do the VA using a login macro?
Performing both scans may provide you value in terms of understanding the difference between a pure outsider and an inside attack. After those scans, there are Trend, Aggregate, or Scan Difference reports available to review them, as well as the Scan Compare feature found in the toolbar area.
In general, an authenticated scan is the best, in particular with a plain user-level account and NOT an administrator account unless fully prepared. Review the Help guide on this detail, particularly the article on Preparing Your System for Audit under the Getting Started section. Your goal is to test the web application to ensure it has not live exploits regardless of the perspective of the user, not to spend all day breaking into the authentication system. Leave that for the Web Brute tool or others. The same thing is true for organizing a permitted bypass of IDS/WAF to generate the best test profile of the application.
Other key items to review for good assessments include:
Augment the Web Form Editor input file as needed, especially when many forms are being populated with "12345" (the Default entry). Valid values help expand the attack surface area.
Understand the human process of the first Crawl-Only > review the coverage > adjust settings > repeat scan (partial or otherwise) > approve "best settings" > proceed to a Crawl-and-Audit scan.
Learn about viewing the Current Scan Settings and how to save/edit them later within the Edit menu.
Always check the Recommendations area for your post-scan analysis.
Learn about the right-click menu options available in the Vulnerabilities tab (Info Summary pane at bottom) as well as in the Site Tree pane.
Review the Default Scan Settings and review the available Help details for each, especially these.
- HTTP Parsing
- Custom Parameters
- Attack Exclusions
- File Not Found
Check out the secondary tools, particularly these.
- Web Macro Recorder
- Policy Manager
- Web Proxy
- HTTP Editor
- Review Vulnerability (right-click menu)
- SQL Injector
- Generate Reports
Review the Application Settings and their various uses.
Try both the Guided Scan Wizard (better) and the Basic Scan Wizard (older) to understand the differences and similarities.