Normal vulnerability scanners such as OpenVas and Nessus usually work by scanning open ports on target machines, and identifying the services running on those ports and their versions without sending malicious payloads that could cause a disruption in the server. Web vulnerability scanners, on the contrary, submit data into web forms and parameters and, even when these scanners are thoroughly tested and their payloads are intended to be secure, such data can compromise the application's stability and information integrity. For this reason, we need to take special care when using these tools as part of a penetration testing project.
In this recipe, we will discuss a series of aspects to take into account before launching an automated test against a target application in an enterprise setup.
