Web Application Penetration Testing
Test your web applications for security vulnerabilities with a comprehensive security pen test
Web Application Penetration Testing
Examine the overall security and potential risks of web applications, including coding errors, broken authentication or authorization, and injection vulnerabilities. Cyber Legion’s web application penetration testing service leverages the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) and the OWASP Testing Guide. Together, these create a comprehensive framework for assessing the security of web-based applications, and form the foundation for our web application assessment methodology. On top of OWASP Top 10 vulnerabilities, we also test the security of specific business logic associated with the web application such as weaknesses in data validation or integrity checks — flaws that can only be discovered through manual testing, not automated vulnerability scanning.
Web application penetration testing is the best method of discovering flaws in web applications. Otherwise known as penetration testing or pentest, this process is the leading web application security testing device.
There are various tools for web application pentesting, and the actual pentest is performed using internal and external simulated attacks. These attacks help development teams understand their system vulnerabilities by accessing sensitive data and increasing the team’s awareness of these issues.
Pentests help the end-user to determine security weaknesses in all components of a web application. This includes the database, back-end network, and source code. Using this information, a developer can prioritize any highlighted threats, implementing strategies to mitigate and improve the application.
Web Application Penetration Testing
As many web applications store or send out sensitive data, the apps must be secure at all times, especially those used by the public.
Web application pentesting works as a preventative control measure, allowing you to analyze every aspect of your web application’s security.
Experts follow a web application pentesting best practices checklist, with overall goals of:
- Test the effectiveness of existing security policies
- Identify unknown vulnerabilities
- Determine the most vulnerable areas for an attack
- Test all publicly exposed application components (routers, firewalls, and DNS)
- Find any loopholes that could be exposed to data theft
Types of Web Pentesting
No prior access is given during an web pentest unless explicitly outlined in the scope.
Specific access is given such as credentials to login to the application in scope.
No access is given to start, but some access is given after certain tests are performed.
Vulnerability Scans and Pen Tests
Vulnerability scanners are automated tools that examine an environment, and upon completion, create a report of the vulnerabilities uncovered. These scanners often list these vulnerabilities using CVE identifiers that provide information on known weaknesses. Scanners can uncover thousands of vulnerabilities, so there may be enough severe vulnerabilities that further prioritization is needed. Additionally, these scores do not account for the circumstances of each individual IT environment. This is where penetration tests come in.
While vulnerability scans provide a valuable picture of what potential security weaknesses are present, penetration tests can add additional context by seeing if the vulnerabilities could be leveraged to gain access within your environment. Pen tests can also help prioritize remediation plans based on what poses the most risk.
Application Pentesting Phases
Following web application pentesting best practices, there are five phases involved in the web application pentesting process:
The Reconnaissance Phase
Reconnaissance involves gathering information about your target so that you can plan your attack. This process can be completed actively by interacting directly with the target or passively using intermediaries. Techniques like social engineering and dumpster diving are popular during the reconnaissance phase.
The Scanning Phase
Scanning is a more intensive form of intelligence gathering. This process uses technical tools to discover openings in the target listening port, internet gateways, and systems. A vulnerability assessment report is a common practice during this phase.
The Exploitation Phase
During this phase, the information discovered in phases one and two is used to infiltrate any target applications and devices. Taking control of these areas allows hackers to access and extract data.
Another important step of the pentesting process involves communications between testers and business operators. This empowers the testing process to be more efficient. It also benefits customers whose engineering teams can talk directly with testers to understand discovered vulnerabilities and properly remediate these.
Reporting & Remediation
Once a target machine or application has been infiltrated successfully, testers will report back to the customer’s engineering teams to relay different vulnerabilities. This process will help kick off the remediation process for the engineers to be able to fix these vulnerabilities.
Retesting & Repeat
Lastly, customers using pentesting services should consider retesting their assets after remediation is complete. This will ensure all the different paths to a vulnerability have been properly secured. While not all Ptaas platforms offer complimentary retesting, at Cyber Legion, this value-add is included with our PtaaS platform.
OWASP Top 10 – 2021
- A01:2021-Broken Access Control moves up from the fifth position to the category with the most serious web application security risk; the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.
- A02:2021-Cryptographic Failures shifts up one position to #2, previously known as A3:2017-Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed name focuses on failures related to cryptography as it has been implicitly before. This category often leads to sensitive data exposure or system compromise.
- A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3.37%, and the 33 CWEs mapped into this category have the second most occurrences in applications with 274k occurrences. Cross-site Scripting is now part of this category in this edition.
- A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.
- A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.5%, and over 208k occurrences of CWEs mapped to this risk category. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for A4:2017-XML External Entities (XXE) is now part of this risk category.
- A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
- A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
- A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.
- A09:2021-Security Logging and Monitoring Failures was previously A10:2017-Insufficient Logging & Monitoring and is added from the Top 10 community survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
- A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
How can we Help?
Cyber Legion provide a continuous cycle of Penetration Testing combined with remediation via Secure Client Portal, to protect/enhance your assets and help improve the organization security posture.
We have deep expertise in application security, mobile apps, API security, IOT and network pen testing. We work specifically to help improve the security of our clients and offer comprehensive security testing that highlight issues in a detailed and intelligible manner.
Our testing methodologies are based on well known security Frameworks and specifically designed to remove the risk of inconvenience during the testing process and keep you up to date as the test progresses. We work directly with our clients to ensure the best possible outcome of all engagements.
Application penetration testing (also known as a pen testing or pen testing) is an authorized security test on an application to identify vulnerabilities that may be present and could be exploited.
Web application pen testing attempts to uncover security vulnerabilities stemming from insecure development practices in the design, coding, and publishing of web applications or a website.
Penetration tests (or pen tests) are attacks on your companies’ software and hardware systems, carried out by ‘ethical hackers’ to expose your system’s vulnerabilities. One example is a web application pen test. Web apps, browsers and plug-ins can house sensitive financial or personal data, so hackers are increasingly putting their efforts towards gaining access to them. The test would examine the endpoint of every web application.
The time that penetration testing takes depends on the size and complexity of your organization’s system structure, as well as the scope of the test itself. For the ‘average’ company, a network penetration test should take around three days. For a merchant processing millions of credit cards a year, for example, a pen test will take over a week, or possibly two.
The penetration testing cost depends on the facts identified during scoping, such as the agreed time, goals, technical resources, approach, and remedial support.
Going through the results of pen tests provides a great opportunity to discuss plans going forward and revisit your security posture overall. Seeing pen tests as a hoop to jump through and simply checking it off a list as “done” won’t improve your security stance. It’s important to plan time for a post-mortem to disseminate, discuss, and fully understand the findings. Additionally, relaying these results with actionable insights to decision makers within the organization will better emphasize the risk that these vulnerabilities pose, and the positive impact that remediation will have on the business. With review, evaluation, and leadership buy-in, pen test results can transform into action items for immediate improvements and takeaways that will help shape larger security strategies.
Your application and data will be safe. We would prefer to test using test accounts that can be destroyed after we’ve finished testing.
For White-Box penetration testing assessments we would recommend that all user levels are tested depending on the size of the user base and the potential damage that could be caused.
We can test on your production environment for a realistic assessment or test on your staging environment to remove the potential for any disruption. Vulnerabilities discovered in staging can then be retested on the production application.
This depends on the environment that we’re testing. If we are testing an application in production then there could be a risk to the data, but we don’t aim to affect any live information.
The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages. The goal of OWASP-SKF is to help you learn and integrate security by design in your software development and build applications that are secure by design.
Our penetration tests will help you:
- Gain real-world insight into your vulnerabilities;
- Keep untrusted data separate from commands and queries;
- Develop strong authentication and session management controls;
- Improve access control;
- Discover the most vulnerable route through which an attack can be made; and
- Find any loopholes that could lead to the theft of sensitive data.