Introduction

What?

Application scanning tools can be used to perform an audit on an application. There are basically two types of application audit tools:

• A dynamic analysis tool assesses vulnerabilities in an application by analysing the behaviour of the application while it is running (how it responds to input). The best is a combination of scanning and using scanners like Zap and Burp in a manual walkthrough.

• In a static analysis, the source code is reviewed for vulnerabilities. Can be done manually or using an automated vulnerability scanner.

Use both for manual and automated scanning of the application.

Why?

Move further and deeper into the scanning process to include security scanning and discover vulnerabilities to exploit.

How?

• Dynamic web application scanning

• Enumerate databases

• Download or obtain and decompile binaries

• Automated vulnerability scanning

• Scanning an API