The Importance of Performing a Web Application Penetration Test
Web application attacks have made the top three threats to small-to-mid-sized businesses (SMBs) two years in a row according to Verizon’s Data Breach Report. Delivered via a web browser, web applications are programs that run on a remote server. Many industries, including healthcare, financial services, insurance, and manufacturing, rely on them regularly.
Unfortunately, web apps often store sensitive information. This could include sensitive data, personally identifiable information (PII), or even protected health information (PHI). They are often targeted by cybercriminals since they are accessible via the internet.
As such, organizations must prioritize performing a penetration test. This helps ensure the product they are providing to their customers is secure.
- Extended downtimes due to denial of service (DoS) attacks;
- Data deletion through SQL injection attacks;
- Theft of customer credit cards or other information from malware; or
- Compromised end-user computers through cross-site scripting (XSS).
Click on the methodology components below to jump to the section you would like to learn more about.
Web Application Penetration Testing 101
Organizations often engage a trusted third-party advisor to serve as an “ethical hacker.” They will perform web application penetration testing to simulate how a real-world attacker would try to compromise the organization’s application.
At project conclusion, the organization will receive a detailed pen test report. The report will explain if the system was successfully compromised and how. In addition, it will outline identified vulnerabilities and provide a comprehensive list of recommended remediation steps
Credentialed vs. Non-Credentialed Testing
Non-Credentialed Web App Penetration Testing
- Match multiple passwords with a single username;
- Match multiple usernames with one password, known as password spraying;
- Use multiple passwords and usernames in various combinations; or
- Attempt to crack hashes of passwords during an offline attack.
Credentialed Web App Penetration Testing
Using stolen credentials, a hacker can initiate a process known as credential stuffing. This allows hackers to launch automated login requests against hundreds of web applications. If using the same user name and password for multiple websites (i.e., password reuse), an attacker may find an easy way into the app to launch their attack.
Reconnaissance
- All subdomains
- The presence of firewalls
- Frameworks and programming languages
- Content management systems
- Plugins
- Themes
This collection leads to a more informed, and therefore more thorough, penetration test. With this information available, cybersecurity engineers can develop a customized attack plan.
Manual Crawl and Spidering
Spidering, on the other hand, is an automated process and may discover unclicked links. For the best results, the pen tester should complete this process while logged into the app. Yet, even by visiting each link, cybersecurity engineers and the web application testing tools are limited to uncovering pages that the site links to directly. Forced browsing is required to further expand the discovery of site content.
Forced Browsing
These lists can be extensive and, based on their size, can significantly increase the time needed for web application penetration testing. The benefit, however, is a far more thorough test and more significant end results.
Passive Scanning
While spidering and forced browsing are occurring, the web application will be scanned for potential vulnerabilities. The results will be returned as alerts. Typically there is nothing required on the users’ end to activate this. A good web application penetration test may include additional scripts, extensions, and add-ons.
Active Scanning
- SQL injection;
- Cross-site scripting (XSS);
- Insufficient logging and monitoring; and
- Others.
New attack vectors that have become prevalent include XSS through the uploading of files or In-Direct Object Reference, more commonly known as IDOR. The popularity of attacks often changes. Staying informed on the latest threats is essential to performing a more thorough web application penetration test.
False Positives and Validation
It is also possible for vulnerability scans to miss important alerts. This is because they do not account for manipulation. For example, scans cannot identify how vulnerabilities work together, known as vulnerability chaining. So two low priority vulnerabilities that may get overlooked could, in theory, be combined.
This combination could then result in a critical vulnerability. Without the understanding necessary to perform validation, the results can be clouded.
The Human Element
Other attacks may be less noticeable. For example, a buffer overflow exploit and other memory-based attacks may result in a denial of service. If the pen tester does not confirm this result as a possibility, or if they are not aware of it, they might as well have launched a DoS attack on the application. Admittedly, the result is the same.
Web Application Security in the Cloud
The hosting provider manages the security of the cloud infrastructure. Meanwhile, the customer is responsible for securing the web application and sensitive data within. As such, organizations cannot afford to fall into the trap of having a false sense of security by using a popular cloud computing platform. Understanding what your security responsibilities are is crucial.
Next Steps
Before you go, don’t forget to fill out the form to download the white paper:
If you have a question regarding web application penetration testing, or would like to secure your web application against cybersecurity threats, reach out to a member of our cybersecurity team at sales@tcdi.com.
Not All Pen Tests are Created Equal
Chris Kolezynski
Author
Share article:
Chris is a Senior Cybersecurity Engineer and Licensed Attorney in the State of Ohio. He has passed the written and practical Certified Ethical Hacker (CEH) exams, Certified Penetration Testing Professional (CPENT) exam, and is published in the Journal of Law and Cyberwarfare.