Note from the Editor: This blog is the 7th installment of an 8-part blog series entitled, The Complete Web Application Penetration Test Guide. To read the series from the beginning, please go to the blog, What is a Web Application Penetration Test?
When it comes to web application penetration testing (including mobile applications and APIs), one of the most frequent questions we get is about what methodology we use. It’s natural for people to wonder how we’re going to go about testing their assets, and somewhat surprisingly, it can be hard to get this kind of information from your pen testers, as sometimes, they’ll point you to a broad standard saying that they use that.
We believe it’s important for you to understand the flow and stages of a typical test. While our testing methodology pulls some of the most important aspects from each of the industry-accepted standards listed below, we also believe it’s important to customize this process and put it in terms our clients and partners will understand.
As a rule, our application-level penetration testing consists of both unauthenticated and authenticated testing using both automated and manual methods with particular emphasis placed on identifying vulnerabilities associated with the OWASP Top 10 Most Critical Application Vulnerabilities.
It is important to note that a penetration test is not just an automated vulnerability scan, and a large portion of web application penetration testing is a manual process with a skilled engineer attempting to identify, exploit, and evaluate the associate risk of security issues.
Standards Used in Web Application Penetration Testing
Sample of Tools Used
Some of the primary tools used during web application penetration testing include:
-
- Burp Suite Pro
-
- Dirbuster/Dirb/Gobuster
-
- Nikto
-
- Sqlmap
-
- B33F
-
- Nessus
-
- Recon-ng
-
- Metasploit Framework
-
- Searchsploit
Web Application Penetration Testing Process
The overall web application penetration testing process can be broken down into 3 primary stages, each of which has several sub-stages.
1. Planning
Gather Scoping Information
After initiating the project, scoping/target information will be collected from the client. In the case of web application penetration testing, this information will include any applicable IP addresses and URLs, authentication credentials (2 sets of credentials for each role being tested), and a list of any sensitive or restricted portions of the application that shouldn’t be scanned or exploited.
Review Rules of Engagement
This process will involve a brief meeting with the client to review and acknowledge the penetration testing rules of engagement, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project.
2. Execution
Intelligence Gathering
Once the test has officially begun, a start notification is sent to the client informing them of the activity’s commencement. The first phase involves open-source intelligence gathering, which includes a review of publicly available information and resources.
The goal of this phase is to identify any sensitive information that may help during the following phases of testing, which could include email addresses, usernames, software information, user manuals, forum posts, etc.
Tools may include: Recon-ng, Maltego, Google Hacking, Wayback Machine
Threat Modeling
For this assessment, the threat modeling phase serves to evaluate the types of threats that may affect the targets in scope. The types of attacks and likelihood of these threats materializing serve to inform risk rankings/priorities that are assigned to vulnerabilities throughout the assessment.
The perspective of the testing (external, internal, authenticated, unauthenticated, etc.) is also identified to ensure the validity of vulnerabilities discovered. This phase of the assessment also includes manual discovery and crawling of the application, determining business functionality from both an authenticated and unauthenticated perspective.
The use of an application proxy to evaluate packet-level traffic and response headers is also used.
Tools may include: Burp Suite Pro, Cookies Manager+, NoRedirect
Vulnerability Analysis
The vulnerability analysis phase encompasses the discovery and enumeration of all in-scope targets/applications at both the network layer and the application layer. At the network layer, we evaluate the attack surface of all in-scope assets using port scans, banner analysis, and vulnerability scans.
At the application layer, we run automated vulnerability scans, starting from the unauthenticated perspective and then moving to each of the in-scope, authenticated roles. After that, we perform manual identification of vulnerabilities involving form submission and application input points, looking for issues such as injection attacks (SQL, command, XPath, LDAP, XXE, XSS), error analysis, file uploads, etc.
Finally, we attempt directory brute-forcing and vulnerability identification based on disclosed software versions.
Tools may include: Burp Suite Pro, Nessus, Dirbuster/Dirb, Nikto, Searchsploit
Exploitation
This phase involves taking all potential vulnerabilities identified in the previous phases of the assessment and attempting to exploit them as an attacker would. This helps to evaluate the realistic risk level associated with the successful exploitation of the vulnerability, analyze the possibility of exploit/attack chains, and account for any mitigating controls that may be in place.
Additionally, we identify any false positives during this activity. We exploit automatically identified vulnerabilities and evaluate issues requiring manual identification and exploitation. This will include business logic flaws, authentication/authorization bypasses, direct object references, parameter tampering, and session management.
Tools may include: Burp Suite Pro, Metasploit Framework, sqlmap, B33F
Post Exploitation
After successful exploitation, analysis continues to include infrastructure analysis, pivoting, sensitive data identification, exfiltration, and identification of high-value targets/data. We use the information collected in the prioritization and criticality ranking of identified vulnerabilities.
Tools may include: Burp Suite Pro, Metasploit Framework
3. Post-Execution
Reporting
After completing the active potion of the assessment, we formally document the findings. The output provided generally includes an executive-level report and a technical findings report.
The executive-level report is written for management consumption and includes a high-level overview of assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, organizational security strengths, and applicable screenshots. The technical findings report, on the other hand, includes all vulnerabilities listed individually, with details as to how to recreate the issue, understand the risk, recommended remediation actions, and helpful reference links.
Quality Assurance
All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny environment details, as appropriate.
Presentation
The final activity in any assessment will be a presentation of all documentation to the client. We walk clients through the information provided, make any updates needed, and address questions regarding the assessment output.
Following this activity, we provide new revisions of documentation and schedule any formal retesting, if applicable.
We put a lot of thought and organization into planning our approach to web app penetration testing. This level of rigor ensures we perform a thorough assessment consistently and cover as much ground as possible.
If you’ve still got questions or would like to schedule a scoping call, contact us today!
About the Author:
JR Johnson is the Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
