TECH NOTE

Top 5 Logic Flaws Scanners Miss

Why Manual Penetration Testing is Mandatory

Automated scanners (like Nessus or Burp Suite Pro) are essential, but they are dumb. They look for patterns (signatures). They cannot understand context. Here are the top 5 findings our manual penetration testers discover that scanners miss:

1. IDOR (Insecure Direct Object References)

  • Scenario:
    A user changes user_id=100 to user_id=101 in the URL and sees another user's invoice.
  • Why scanners miss it:
    The scanner doesn't know whose data creates the response. It just sees a "200 OK".

2. Business Logic Bypass

  • Scenario:
    An e-commerce site allows you to add items to a cart, but if you remove the item in a specific API call sequence, the price drops to £0.00.
  • Why scanners miss it:
    This requires understanding the intent of the checkout flow.

3. Race Conditions

  • Scenario:
    Applying a single coupon code via 20 parallel requests simultaneously to get 20x the discount.

4. Broken Access Control (Horizontal)

  • Scenario:
    A "Viewer" role calling an "Admin" API endpoint.
  • Why scanners miss it:
    Unless configured with complex multi-user session tokens, scanners rarely test cross-role permissions effectively.

Conclusion

Compliance requires scanning. Security requires thinking.