Most web scanners rely on payload signatures and response matching. In practice, I often see cases where the server behaves differently without any explicit error:
latency spikes
unexpected redirects
status changes
Signature-based tools usually report these scenarios as “clean”, even though they indicate backend instability or logic issues.
The challenge is that these anomalies don’t fit traditional vulnerability categories like SQLi or XSS — they’re about how the system reacts under unusual input, not whether a known exploit triggers.
Example Observation
Below is a sample result from testing http://testphp.vulnweb.com/artists.php:
Screenshot showing latency spikes (RTT) and body hash changes for specific inputs. Signature-based scanners would likely mark this as “clean”.
Notice:
artist=SLEEP(1) causes response time to jump from ~197ms → 3212ms
BODY_HASH changes indicate server response altered
Other inputs (%22, %5C, %255c) also trigger body changes without explicit errors
These anomalies highlight how a server can behave unexpectedly under test conditions, which traditional signature-based scanners often miss.
I’m curious how others in web security detect and interpret these kinds of behavioral anomalies during testing.
(Optional reference for context: Blink
)
Top comments (0)