Skip to Content
abstract image of a brain and a computer chip

Anatomy of a Penetration Test Part 2: Web Applications

A web application security assessment is a type of penetration test that seeks to find vulnerabilities in a web application (web app for short) and prove their impact by demonstrating exploitation. While an external infrastructure assessment) may find vulnerabilities in the infrastructure that supports your web apps, the actual web app itself will not be covered.

In this blog post you’ll learn why web app security testing is important, how its performed, and what to consider when deciding if your organisation needs it.

New web apps are being built and rolled-out as fast as web-based technology can be developed, and as new technology emerges; security isn’t always the primary focus. This means web apps are typically developed and released even though they contain vulnerabilities. Perhaps you are already performing static application security testing (SAST) against your app, along with manual code review? You may even have dynamic application security testing (DAST) up-and-running. But, even with these in place, a lack of manual penetration testing from a third-party can leave bugs and flaws in your app.

If an attacker (and this could be an individual, organised group or a malicious insider) finds these flaws before you or your security team, then there’s a risk they’ll be able to exploit them to compromise your app. This need not be a full compromise. Many attacks affecting web applications do “just enough” to steal users’ data. This data could be personally identifiable information (PII) card payment details, or other sensitive information your app stores in a back-end data store.

When data breaches occur, it is often the organisation is held liable. Mitigating these issues before they can occur protects organisations from legal, financial and reputational damage and can also protect business continuity by preventing business disruptions.

Web Application Penetration Testing

This is where a web application security assessment comes in, bridging the gap between the security work you’re doing in-house and what real-world attackers can achieve.

Most Web Application tests follow a set methodology, allowing the tester to cover a wide range of manual and automated testing techniques in a timely manner. One popular methodology is the Open Web Application Security Project (OWASP) Web Security Testing Guide (WSTG). Penetration testers will use a this along with other methodologies, and add their own personal testing touches.

OWASP breaks these down into eleven sections:

  1. Information Gathering
  2. Configuration and Deployment Management Testing
  3. Identity Management Testing
  4. Authentication Testing
  5. Authorisation Testing
  6. Session Management Testing
  7. Input Validation Testing
  8. Testing for Error Handling
  9. Testing for Weak Cryptography
  10. Business Logic Testing
  11. Client-side Testing

Each section outlines testing procedures and detailed test cases that may be used to assess the application. Each test case specifies the objective, the method to perform the test, and the expected outcomes, allowing testers to systematically identify vulnerabilities.

Beyond the Methodology

An experienced penetration tester will not stop at the methodology though. If they find something new, or something that simply doesn’t “look right”, the tester will probe for weaknesses. This is where automated tooling and even artificial intelligence-based testing falls short. A human tester using manual testing techniques will find vulnerabilities that cannot be found by other methods. Furthermore, they’ll be able to provide context to the finding, giving remedial advice and options for specific instances of a vulnerability identified.

The Report

After the test is concluded, deliverables are provided, typically in the form of a report. The report will highlight all vulnerabilities discovered during the assessment along with explanations of the impact of successful exploitation by a malicious hacker.

Evidence is included for all relevant vulnerabilities identified, allowing developers and engineers to reproduce issues themselves. Recommendations for remediation are given for each finding.

If a wash-up call is required, then this can be arranged to allow developers and other stakeholders to ask the penetration tester any questions they may have regarding the report.

Optional Re-testing

After remedial work is complete, you may want assurance that the work has been carried out correctly, and that vulnerabilities have been successfully fixed or mitigated. This is where re-testing comes in. Typically, this tests only a subset of vulnerabilities identified during the initial test (such as critical and high-risk findings) and typically lasts 1-2 days.

What We Need from You

The following information is required ahead of time, to ensure a report free from caveats:

  • The URL (https://www.example.com) of your app if its currently deployed.
  • A short demonstration of the app over a video call if possible.
  • The number of dynamic pages your app contains (for example, a new user registration form, login page, account profile page, product page and shopping cart would be 5 dynamic pages).
  • Access to your application including allow-listing on any web application firewall. (WAF) or intrusion detection system (IDS).
  • Credentials for the different user roles that will be in-scope for testing.
  • Access to key personnel for clarification and information gathering both before and during the assessment.
  • Agreement on the start and end dates of the assessment.
  • Your signed, written permission to test in the environment determined during scoping. Non production environments that mirror the live service are preferred.

Why You Need This Type of Assessment

Some factors to consider when deciding if your organisation needs a web application assessment are as follows:

  • Have you recently developed and released a new web application?
  • Are you planning to release a new app soon?
  • Was your last web app test done more than a year ago?
  • Is your application handling customer or user data?
  • What would happen if your application’s database was leaked on the dark web or public Internet?
  • Have you recently added new features to your app?
  • Did previous testing identify a large number of vulnerabilities that have been resolved, but without fixes being verified?

If you answered yes to any of the above, a web application assessment is likely a good idea. It’s important to identify vulnerabilities before threat actors do. If a malicious hacker is finding vulnerabilities before you, then its already too late.

What Can I Do Now?

  • Implement a Secure Software Development Lifecycle (SSDLC), this integrates security into each phase of the software development lifecycle.
  • Use well-known security toolkits such as Burp Suite and Nuclei to scan applications for vulnerabilities.
  • Keep technologies used by the application up to date.
  • Enforce multi-factor authentication, strong password hygiene and the principle of least privilege to connected services.
  • Schedule and perform regular penetration tests

Cyber Security Specialists are committed to helping you protect your business from cyber threats through comprehensive penetration testing services. Whether you need to secure your external-facing assets, internal network, web applications, or cloud infrastructure, our team of experts is here to assist you. Contact us today to learn more about how we can help you enhance your security posture and defend against cyber attacks.