Assessing the coverage of a penetration test (either manual or automated) is notoriously hard. A series of questions often arise:
- How do you ensure that all features and pages have been tested comprehensively during the test?
- Has the test covered all functionality in your application, or have some stones been left unturned?
- Has the test been able to emulate the actions of a real hacker sufficiently to uncover any security issues?
Consultants conducting manual penetration tests (MPTs) will often only provide a section in their final report on the general methodology they have applied during the test and, perhaps, a list of the URLs/endpoints they have included in their scope of the test. However, neither gives a perfect look into what has been tested nor whether all interactive elements (e.g., input fields, buttons, links, etc.) have been examined thoroughly.
Dynamic application security test (DAST) solutions suffer from the same problem. After completing a test, most will provide a raw list of the HTTP requests that have been made during the test, but that doesn't say anything about the actual interaction with the functionality in the application. In the modern world of web development, where most user interactions do not trigger an HTTP request, a list of such requests isn't going to say anything about the actual coverage of the application. Ultimately, when running a test on a web application with a generic DAST solution, you'll still be in the dark and not be much wiser regarding the actual security of your application.
In Heyhack, we've been addressing this problem ever since we launched a year ago and became the #1 Product of the Week on Product Hunt. The coverage exploration tool on the test report page in Heyhack lets you review every single page found by Heyhack Scan during the penetration test and see all the elements that Heyhack has interacted with and tested. We also show each and every test case that has been conducted and whether they have failed or passed—both on a page level and on an element level. Now, we are taking things up a notch by launching our brand new, ground-breaking feature: complete video playback of the entire penetration test in Heyhack.
The feature is still in beta but has already been rolled out to all penetration tests starting August 14, 2023. Create an account or log into Heyhack and run a penetration test. Once it's completed, you'll be able to see a Video button, letting you get a sneak peek at this new awesome feature.
You can also review a sample from a recent test we ran on the OWASP Juice Shop. The video gives a pretty good look into what's going on inside the scanner during the penetration test. As you'll see, it's pretty comprehensive. Once we release the feature in GA, we'll include some supporting features, including an event timeline that lets you jump to interesting actions made by the scanner during the test—i.e., logging in, navigating between pages, submitting forms, etc.
We hope that you'll appreciate this new look into the engine of Heyhack Scan. We're keen to hear your feedback, so after trying it out, please shoot us an email with your thoughts to firstname.lastname@example.org—the whole team at Heyhack monitors that inbox. We can't wait to hear what you think!