Does an External Penetration Test Include Web Application Testing?

One area of confusion we run into every once in awhile centers around whether an external penetration test includes web application testing. Customers want to know if the external penetration test we are doing on their perimeter will also include web application testing for the systems in scope. The reason this can cause confusion is because the answer is sort of, but not really. Let’s break it down further.

What is Included?

The goal of an external penetration test is to emulate an attacker on the network trying to hack into your organization. As such, during an external penetration test, the engineer will enumerate all services listening, try to find vulnerabilities with those services, and try to exploit those vulnerabilities. When the engineer discovers a web service listening he will perform the following:

  • Attempt to enumerate all information about the underlying server. Is it running IIS or Apache? What version? What libraries and plugins are installed? Are there any known vulnerabilities with any of these? Most of this information is determined via response headers, viewing the source for the website, and leftover artifacts from installation.
  • Enumeration of the application pages and directories. This may lead to sensitive information being disclosed or hidden pages being identified that can be used in future attacks. This can be done by spidering the website and directory brute forcing.
  • For any login pages discovered, the attack team will attempt to authenticate. This includes trying default passwords, where applicable. If that doesn’t work, are there any known usernames? Known usernames could come from open source reconnaissance or perhaps the website allows us to enumerate usernames in some way. Using a list of usernames, the engineer will attempt to guess passwords. Additionally, the engineer will test the logon page for injection attacks that may allow them to bypass authentication.
  • Similarly, if any forms are discovered, these will be tested for common vulnerabilities such as SQL Injection.
  • If an engineer is unable to gain access, or unable to find any vulnerabilities, they will move on to the next system in scope. Again, the goal is to emulate an attacker, and just like an attacker, if one door doesn’t work, they will move on to the next.

What is Not Included?

In the five steps listed above, there is a lot of overlap and one might think that an external penetration test includes web application testing. If you think that, you are technically right, it does include application layer testing, however, it is not the same thing as a web application penetration test. Here are several things that a web application penetration test would include that are not covered in an external penetration test.

  • Authenticated Testing – The first and most obvious difference is that an external penetration test will only test the external portions of your web application. The engineer will enumerate what he can from an unauthenticated portion of the site, and attempt to break in, but unless they successfully break in, the inside of the web application will never be discovered. Even if they do successfully break in, the engineer at that point will be interested in elevating their permissions and gaining access to the underlying server, not necessarily evaluating the application. In contrast, during the kickoff for a web application penetration test, we will ask for valid credentials so we can test the inside of the network. A web application penetration test will evaluate the unauthenticated AND authenticated portions of the application.
  • Roles – Similarly, an external penetration test will not test the various roles of the application. An easy way to explain this is to imagine a school had a web application where teachers input their grades. During a web application penetration test, we will see if a student can change their grade. We will see if a teacher can see and modify grades of other teachers. We will see if a student can become an administrator and create a new teacher account. A Web Application Penetration Test evaluates all of the roles of an application and tries to circumvent the access controls in place.
  • Checkout – Let’s say we are testing an e-commerce application that sells office supplies. One of the things an engineer will focus on during a web application penetration test is that checkout process. Can I change the cost of the items in my shopping cart, is the credit card information sent securely, can I use a fake credit card, etc. While some of these findings will be discovered in an external penetration test, this isn’t the focus of an external penetration test. The focus of an External Penetration Test is to break in, not holistically evaluate the security of the application.

In summary, an external penetration test does include web application testing to some extent. For the websites discovered, the engineer will evaluate the application in an attempt to break in or gain access to sensitive information. However, it is not the same as a web application penetration test. Simply relying on an external penetration test alone to ensure the security of your applications is insufficient and will leave many aspects of the application untested.