, , , , ,

Does an External Penetration Test Include Web Application Testing?

One question we still hear from time to time is: Does an external penetration test include web application testing? It’s a fair question and one that often confuses people, because the answer is, “kind of, but not exactly.” Let’s break it down further.

What types of web application penetration testing are generally included in an external test?

The goal of an external penetration test is to emulate an attacker trying to hack into your organization. As such, during an external penetration test, the engineer will enumerate all services listening, try to find vulnerabilities with those services, and then try to exploit those vulnerabilities. When an engineer discovers a web service listening, they will perform the following:

  • Attempt to enumerate all information about the underlying server. Is it running IIS or Apache? What version? What libraries and plugins are installed? Are there any known vulnerabilities with any of these? Most of this information is determined via response headers, viewing the source code for the website, and leftover artifacts from the installation.
  • Enumeration of the website pages and directories. This may lead to sensitive information being disclosed or hidden pages being identified that can be used in future attacks. This can be done by spidering the website and directory brute forcing.
  • If any login pages are discovered, the tester will attempt to authenticate to them. This includes trying default passwords, where applicable. If that doesn’t work, are there any known usernames? Known usernames could come from open source reconnaissance, or perhaps the website allows us to enumerate usernames in some way. Using a list of usernames, the engineer will attempt to guess passwords. Additionally, the engineer will test the logon page for injection attacks that may allow them to bypass authentication.
  • Similarly, if any forms are discovered, these will be tested for common vulnerabilities such as SQL Injection.
  • If an engineer is unable to gain access to find any vulnerabilities, they will move on to the next system in scope. Again, the goal is to emulate an attacker, and just like an attacker, if one door doesn’t work, they will move on to the next.

What is Not Included?

In the five steps listed above, there is some overlap in what would happen during a formal web application penetration test, and one might think that an external penetration test includes this type of testing. If you think that, you are technically right; it does include some level of application layer testing, however, it is not the same thing as a web application penetration test. Here are several things that a web application penetration test would include that are not covered in an external penetration test.

  • Authenticated Testing – The first and most obvious difference is that an external penetration test will only test the non-authenticated portions of your web application. The tester will enumerate what they can from an unauthenticated portion of the site and attempt to break in, but unless they successfully break in, the inside of the web application will never be discovered. Even if they do successfully break in, the tester at that point will be interested in elevating their permissions and gaining access to the underlying server, not necessarily evaluating the application. In contrast, during the kickoff for a web application penetration test, the testing firm will ask for valid credentials so that they can test the internal portion of the web application. A web application penetration test will evaluate the unauthenticated AND authenticated portions of the application.
  • Roles – Similarly, an external penetration test will not test the various roles that may exist inside the application. An easy way to explain this is to imagine a school that had a web application where teachers input their grades. During a web application penetration test, we will see if a student can change their grade. We will see if a teacher can see and modify the grades of other teachers. We will see if a student can become an administrator and create a new teacher account. A web application penetration test evaluates all of the roles of an application and tries to circumvent the access controls in place.
  • Checkout – One area to test in e-commerce platforms is the checkout function of the site. One of the things a tester will focus on during a web application penetration test is the checkout process. Can I change the cost of the items in my shopping cart? Is the credit card information sent securely? Can I use a fake credit card? While some of these findings may be discovered in an external penetration test, they are more likely to be discovered in a test that is solely dedicated to the application and its overall security. The focus of an external penetration test is to gain access, not holistically evaluate the security of every application.

In summary, an external penetration test includes some parts of a web application test. For the websites discovered, the engineer will evaluate the application in an attempt to break in or gain access to sensitive information. However, it is not the same as a web application penetration test. Simply relying on an external penetration test alone to ensure the security of your applications is insufficient and will leave many aspects of the application untested.