Note from the Editor: This blog is the third installment of an 8-part blog series entitled, “Everything you need to know about an External Penetration Test.” To read series from the beginning, start at “What is an External Penetration Test?“
We are often asked is an external penetration test also includes web application testing. Clients want to know if the external penetration test we are doing on their perimeter will also include web application testing for the systems in scope. The answer: sort of, but not really. This blog helps to explain that confusing answer.
What is Included in an External Penetration Test?
The goal of an external penetration test is to emulate an attacker trying to hack into your organization. As such, during an external penetration test, the engineer will enumerate all services listening. They will try to find vulnerabilities with those services, and try to exploit those vulnerabilities. When the engineer discovers a web service listening he will perform the following:
- Attempt to enumerate all information about the underlying server. Determining information such as: Is it running IIS or Apache? What version? What libraries and plugins are installed? Are there any known vulnerabilities with any of these? Most of this information is determined via response headers, viewing the source for the website, and leftover artifacts from installation.
- Enumeration of the application pages and directories. This may lead to sensitive information being disclosed or hidden pages being identified that can be used in future attacks. This can be done by spidering the website and directory brute forcing.
- For any login pages discovered, the attack team will attempt to authenticate. This includes trying default passwords, where applicable. If that doesn’t work, we will look for any known usernames. These could come from open source reconnaissance or perhaps the website allows us to enumerate usernames in some way. Using a list of usernames, the engineer will attempt to guess passwords. Additionally, the engineer will test the logon page for injection attacks that may allow them to bypass authentication. Similarly, if any forms are discovered, these will be tested for common vulnerabilities such as SQL Injection.
- If an engineer is unable to gain access, or unable to find any vulnerabilities, they will move on to the next system in scope. Again, the goal is to emulate an attacker, and just like an attacker, if one door doesn’t work, they will move on to the next.
What is Not Included in an External Penetration Test?
In the five steps listed above, there is a lot of overlap. One might think that an external penetration test includes web application testing. If you think that, you are technically right, it does include application layer testing. However, it is not the same thing as a web application penetration test. Here are several things that a web application penetration test would include that are not covered in an external penetration test.
Authenticated Testing
An external penetration test will only test the external portions of your web application. The engineer will enumerate what he can from an unauthenticated portion of the site, and attempt to break in, but unless they successfully break in, the inside of the web application will never be discovered. Even if they do successfully break in, the engineer at that point will be interested in elevating their permissions and gaining access to the underlying server, not necessarily evaluating the application. In contrast, during the kickoff for a web application penetration test, we will ask for valid credentials so we can test the inside of the network. A web application penetration test will evaluate the unauthenticated AND authenticated portions of the application.
Roles
Further, an external penetration test will not test the various roles of the application. An easy way to explain this is to imagine a school had a web application where teachers input their grades. During a web application penetration test, we will see if a student can change their grade. We will see if a teacher can see and modify grades of other teachers. We will see if a student can become an administrator and create a new teacher account. A Web Application Penetration Test evaluates all of the roles of an application and tries to circumvent the access controls in place.
Checkout
Let’s say we are testing an e-commerce application that sells school-branded clothing. One of the things an engineer will focus on during a web application penetration test is that checkout process. Can I change the cost of the items in my shopping cart, is the credit card information sent securely, can I use a fake credit card, etc. While some of these findings will be discovered in an external penetration test, this isn’t the focus of an external penetration test. The focus of an External Penetration Test is to break in, not holistically evaluate the security of the application.
Conclusion
In summary, an external penetration test does include web application testing to some extent. For the websites discovered, the engineer will evaluate the application in an attempt to break in or gain access to sensitive information. However, it is not the same as a web application penetration test. Simply relying on an external penetration test alone to ensure the security of your applications is insufficient and will leave many aspects of the application untested. To learn how we can help your institution with an external penetration test, contact us today.
About the Author:
Matt Miller is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.
