What Is Website Vulnerability Testing?

Every website has weaknesses. Some are obvious, like an admin page accessible without a password. Others are subtle, like a form field that lets an attacker run database commands. Vulnerability testing is the systematic process of finding these weaknesses before attackers do.

It is not the same as a penetration test (often called a "pen test"), which simulates a real attack by an experienced security professional. Vulnerability testing is broader and more methodical: it scans for known issues across your entire website using automated tools, producing a prioritised list of problems to fix.

Think of it like an MOT for your website. You would not drive a car for years without checking the brakes, and you should not run a website without checking its security.

Types of vulnerability testing

Automated scanning

Automated scanners crawl your website, test every input field, check every header, probe every port, and compare what they find against databases of known vulnerabilities. A good automated scanner can test for 16 or more vulnerability categories in a single scan, completing in minutes rather than days.

Automated scanning is ideal for:

• Regular security checks (monthly or after any changes)
• Pre-deployment verification before launching new features
• Continuous monitoring to catch new vulnerabilities as they emerge
• Meeting compliance requirements (GDPR, PCI-DSS)

Manual penetration testing

Penetration testing goes deeper. A skilled security professional manually explores your website, looking for logic flaws, business process vulnerabilities, and chained exploits that automated tools cannot detect. Pen tests typically take days or weeks and cost thousands of pounds.

For most small and medium businesses, automated scanning provides the best return on investment. It catches the vast majority of common vulnerabilities at a fraction of the cost. Manual pen testing is valuable for high-risk applications (payment processing, healthcare data, financial services) or as an annual deep-dive alongside regular automated scans.

What gets tested

A comprehensive vulnerability scan covers the OWASP Top 10, which represents the most critical security risks to web applications. Here are the main categories:

SQL injection (SQLi)

When your website takes user input (a search box, a login form, a URL parameter) and uses it directly in a database query without proper sanitisation, an attacker can inject SQL commands. This can let them read, modify, or delete your entire database.

Example: A login form where entering ' OR 1=1 -- in the username field bypasses authentication entirely.

Cross-site scripting (XSS)

XSS lets an attacker inject JavaScript into your web pages. When another user loads the page, the script runs in their browser and can steal their session, redirect them to a phishing site, or perform actions on their behalf. Read our detailed guide: What is cross-site scripting (XSS)?

Cross-site request forgery (CSRF)

CSRF tricks an authenticated user into performing actions they did not intend. An attacker creates a page that sends a request to your website using the victim's existing session cookie. If the user is logged in, the request succeeds.

Directory traversal

Also called path traversal, this vulnerability lets an attacker access files and directories outside the intended web root by using sequences like ../../ in URLs or input fields. This can expose configuration files, password files, and source code.

File inclusion

If your website dynamically includes files based on user input (such as a URL parameter like ?page=about), an attacker might be able to include arbitrary files from the server or even remote files, potentially executing malicious code.

Command injection

Similar to SQL injection, but instead of database commands, the attacker injects operating system commands. If your website passes user input to a shell command, an attacker can run arbitrary commands on your server.

Open ports and services

Every open port on your server is a potential entry point. Ports that should not be publicly accessible, such as database ports (3306, 5432) or admin panels (8080), are routinely discovered by attackers scanning the internet. Read our guide: How to check for open ports on a website

Insecure file uploads

If your website allows file uploads without properly validating the file type and content, an attacker can upload a PHP shell, a script, or other executable file and then access it directly to run commands on your server.

Default credentials

Many CMS platforms, admin panels, and databases ship with default usernames and passwords. Failing to change these is one of the most common and most easily exploited vulnerabilities.

Misconfigured servers

Missing security headers, verbose error messages that reveal server details, directory listing enabled, default server pages visible. These are configuration issues rather than code vulnerabilities, but they make attacks easier.

How automated scanning works

A typical automated vulnerability scan follows this process:

1. Discovery. The scanner crawls your website, mapping out every page, form, input field, and endpoint.
2. Probing. For each input point, the scanner sends crafted payloads designed to trigger specific vulnerabilities. It tests for SQL injection by sending SQL fragments, tests for XSS by sending script tags, and so on.
3. Analysis. The scanner analyses the server's response to each probe. An error message containing SQL syntax, for example, suggests SQL injection. A reflected script tag suggests XSS.
4. Port scanning. The scanner probes common network ports to see which ones accept connections.
5. Header checking. The scanner checks which security headers are present and correctly configured.
6. Reporting. All findings are compiled into a report, categorised by severity, with remediation advice for each issue.

Severity ratings

Vulnerabilities are typically rated on a four-point scale:

• Critical: Can be exploited immediately to gain full control of the server, access sensitive data, or cause significant damage. Examples: remote code execution, SQL injection that exposes the full database.
• High: Can lead to significant data exposure or unauthorised access but may require specific conditions. Examples: authenticated SQL injection, stored XSS on an admin page.
• Medium: Limited impact or requires specific circumstances to exploit. Examples: reflected XSS, verbose error messages revealing server technology.
• Low: Minimal direct impact but provides information that could aid further attacks. Examples: missing security headers, internal IP address disclosure.

Fix critical and high issues immediately. Medium issues should be addressed within days. Low issues should be scheduled into your regular maintenance.

How often should you test?

The short answer: regularly. Security is not a one-time event. New vulnerabilities are discovered daily, and changes to your website (new features, updated plugins, server patches) can introduce new weaknesses.

Recommended schedule:

• Monthly automated scans for most business websites.
• After any significant change to your website (new feature, plugin update, server migration).
• Quarterly scans at minimum for any site handling personal data or payments.
• Annual penetration test for high-risk applications.

If your website is covered by GDPR (and if you operate in the UK or EU, it almost certainly is), you have a legal obligation to implement appropriate technical measures to protect personal data. Regular vulnerability testing is one of the most straightforward ways to demonstrate compliance.

What a vulnerability report looks like

A good vulnerability report should include:

• A summary of the scan with an overall risk score
• Each finding listed with its severity rating
• The URL or location of the vulnerability
• A description of the issue and its potential impact
• Proof that the vulnerability exists (such as a crafted payload and the server's response)
• Clear remediation steps

PulseShield's free security scan produces exactly this kind of report, covering open ports, security headers, SSL configuration, cookie settings, email authentication, and more.

Related guides

• What is cross-site scripting (XSS)? - Understanding one of the most common web vulnerabilities
• How to check for open ports on a website - Port scanning explained
• What is website security scanning? - How automated scanners work