Web Application Penetration Testing

Blog by: Grant Knoetze

Web application penetration testing, known also as website intrusion testing, is the process of systematically attacking a web application with the intent of discovering and wherever possible exploiting found vulnerabilites for the purposes of testing the security of the application, and to then make recommendations after an analysys of the results. The process is given to us by certain authorities on the best practice of web application penetration testing. First, the Open Web Application Security Project (OWASP), who publish, among other materials, the OWASP Web Security Testing Guide. OWASP Web Application Testing Guide. It is recommended that web application testing should be performed according to the OWASP guidelines, as well as the Penetration Testing Execution Standard (PTES). Penetration Testing Execution Standard

Web appication testing is a rigorous undertaking, and is quite expensive for companies, but essential for certain types of accreditation and insurance purposes. Certain regulatory bodies such as the Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard define a set of standards for companies and individual testers to abide by, and it also defines a standard for the actual testers to align with. If you read the OWASP WS TG to will see that from the beginning it is acknowledged that web intrusion testing is an activity that is often performed late in the Software Development Life Cycle SDLC, and much earlier in the SDLC code analysis and review, in addition to other security best practices, should be performed in order to advance the organizations security posture. So, web application penetration is usually performed late in the SDLC, but is essential nonetheless. A full web application penetration test can include the following activities:

  • Source code review or static code analysis: This is where the web applications source code is analysed for security best practices, vulnerabilites, and other issues in the actual source code.

  • Web intrusion test or dynamic code analysis: This is where the web application is attacked using various tools and technologies. This after multiple documents have been signed by boty parties, secure encrypted channels of communication and secure encrypted storage, and other issues have been seen to including involving a lawyer and solid Non Disclosure agreements have been signed by all stakeholders.

  • Infrastructure test: During this process, the infrastructure that is used to host all servers, such as File Transfer Protocol (FTP), Microsoft Internet Information Systems servers among others. The server configuration is also tested. IIS

  • Information gathering: This is part of the cyber kill chain. But it can be performed as an activity on its own at a later stage in the larger penetration testing process.Lockheed Martin Cyber Kill Chain

Guidelines and Standards for Penetration Testing

When performing a web application penetration test, you should be guided by the Open Web Application Security Project (OWASP) OWASP, and the Penetration Testing Execution Standard (PTES) PTES. OWASP provide a Web Security Testing Guide and a Checklist for web application penetration testing. The Web Security Testing Guide is an excellent document that is comprehensive and it lays out a high level strategy for web application security that begins with secure design and references the Software Development Lifecyle (SDLC) heavily. It also goes in depth into the entire penetration testing process, and includes tools, testing methodologies, and much more to assist you with your web application penetration test. Using the Web Security Testing Guide and the Web Security Testing Checklist together will provide you with a roadmap and easy to follow plan for your penetration test. The Web Security Testing Guide is available here: OWASP WSTG and the web security Checklist is available here:OWASP Checklist.OWASP also publish a list of their top ten Web Application vulnerabilites which is updated anually, make sure you test for all of these, but if you follow the Web Security Testing Guide you will cover the top ten and much more. As for the Penetration Testing Execution Standard, they provide a high level red-team-infrastructure-repo-overview of what is to be covered in a penetration test, and they separate the penetration testing process into seven sections:

  • Pre-engagement Interactions

  • Intelligence Gathering

  • Threat Modeling

  • Vulnerability Analysis

  • Exploitation

  • Post Exploitation

  • Reporting

The PTES will give you all the information required to professionally set up your penetration testing process according to best practices, and if you use the OWASP materials and the PTES to guide you, you will be well positioned to perform a thorough and professional penetration test.

Share with your network

Grant Knoetze

IT Support Specialist Cybersecurity Analyst Software Developer

Lockheed Martin Cyber Kill Chain

Useful Code for Red Teaming

This is code that I wrote to help me with red teaming, and includes a step by step how-to on developing a fully undetectable trojan. Disclaimer - Nothing on this page is intended for malicious purposes, anything that you do with any code is your own responsibility, never engage a target without written permission in the form of a signed contract.