When it comes to penetration testing, assessing web applications is pretty unique compared to the other sorts of testing. We’ve already written about web application penetration testing in general, geared to helping you understand the point of testing, the associated costs, some of the challenges, etc. So go back and read that if you’re looking for a general understanding of this type of testing, but if you’re a penetration tester that is looking to get into web application penetration testing, expand your understanding, or refine your testing process, then this guide is for you!
Web applications are quickly rising to the forefront of security concerns for many organizations. As organization’s continue to improve their external security posture, attackers are quickly left with just a few viable avenues of attack. If there’s nothing unnecessary exposed and there’s multi-factor authentication (MFA) on the VPN and email, a dedicated attacker is probably going to turn their attention to social engineering or the web applications exposed. Most of the time, these web applications are part of a company’s core business model, too. So the impact of a successful compromise can be extreme, especially for SaaS providers or e-commerce platforms.
What Makes Web App Pen Testing Different?
Before we cover a basic approach to testing, it’s helpful if we have an idea of some of the unique concerns when it comes to assessing the security of a web application and why there are more challenges with developing a standardized testing process.
First, every application is different. There’s so many different combinations of language, framework, architecture, tech stack, etc. And each combination creates a unique attack surface, making it really hard to create a standard testing checklist that you can use every time. For a network-level assessment, there are differences between organization’s networks, but those differences still fit into the same general testing process. With web applications, entire portions of testing could very quickly become non-applicable or you could be looking for very different vulnerabilities.
Beyond their uniqueness, web applications are often relevant in other types of testing, outside of dedicated web application penetration tests. External or internal network assessments often have application-level testing as part of them, so a consistent approach to assess web apps can help all testers. But when testers come across custom applications, not everyone is comfortable evaluating them, particularly for penetration testers that don’t have a background in application development.
So this is where a realistic and approachable testing methodology can help…
High-Level Web Application Penetration Testing Process
For web application security, OWASP is a great, community-driven resource that produces content such as the Top 10 and a Security Testing Guide. Both of these tools are extremely valuable in different ways, with the OWASP Top 10 helping educate organizations on what the most prevalent attack vectors are for web applications and the Security Testing Guide providing an extremely thorough checklist of things to look for when it comes to evaluating web application security. But neither of these tools really help a penetration tester that is trying to assess a target web application. They don’t give you a process or methodology to follow. Let’s look at a good place to start when it comes to your testing process.
- Planning/Preparation – Obtain all the information/approvals you need to conduct an efficient and thorough penetration test.
- Rules of Engagement
- Target Information
- Application Walkthrough
- Tool Configuration
- Unauthenticated Testing – Gather target information and gain unauthorized access to the application or sensitive information.
- Network Layer
- Application Architecture
- Application Content
- The Login Process – Evaluate the security controls employed within the login process and session management.
- Logging In
- Session Management
- Authenticated Testing – Gain unauthorized access to sensitive information, escalate privileges, or take control of underlying host.
- Injection Points
- File Uploads
- Business Logic
- Parameter Tampering
- Information Disclosure/Verbose Responses
- Repeat this phase for all available user roles!
- QA/Reporting – Ensure every vulnerability is reported accurately and clearly to empower organizations to fix issues.
- Ensure full coverage of the application
- Identify strengths in security controls
- Be realistic in risk ranking
- Clear reporting so devs can fix issues
This process will provide you with a quick, repeatable methodology that will apply to any application you are assessing. Within each of these steps, we could definitely expand into a lot more detail (and will in future blogs!), but this should get you started. Let us know if you’d like to talk more about a web application penetration test or if you’re looking to become a web application penetration tester!