Note from the Editor: This blog is the first installment of an 8-part blog series entitled, “The Complete Web Application Penetration Test Guide.”
A lot of times in security, there are differences in understanding between clients and service providers. Miscommunications often relate to the terms being used and sometimes, it’s unclear what services are even being offered. This problem is exacerbated with increased compliance requirements, news about data breaches, and the relative newness of the cybersecurity industry. It makes shopping for a cybersecurity provider extremely difficult when you don’t understand exactly you are getting for your investment. This is particularly true with web application penetration tests. We get a ton of questions and confusion around what an assessment looks like. With that in mind, let’s try and cover what exactly a web application penetration test is and what it includes.
Web Application Penetration Test Definition
The Open Web Application Security Project (OWASP) is the primary authority on application security. They describe a web application security test as:
“A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. A web application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner. Together with an assessment of the impact, a proposal for mitigation or a technical solution.”
In simpler terms, a web application penetration test identifies any vulnerabilities in your web application and assesses the impact of those vulnerabilities through exploitation attempts. A penetration test goes above and beyond a simple vulnerability scan. This process is going to show you what weaknesses are the most significant from the perspective of an attacker. This will subsequently help your organization evaluate where to allocate resources (time, budget, etc.).
What Questions Does it Answer?
Most organization’s perform web application testing that utilizes the OWASP Penetration Testing Guide or some form of it. This type of testing is going to include both an unauthenticated and authenticated analysis of the targeted web application(s) using all of the different user roles that are available. Additionally, most organizations (but definitely not all) will include network-level testing for vulnerabilities on the host server that could negatively affect the security of the application.
Some questions a Web Application Penetration Test will answer include:
- What sensitive data can a hacker access within the application if they don’t have an account?
- Can one application user see or modify the data of another application user?
- Is a low-level user able access sensitive data or perform privileged functions they shouldn’t have access to?
- Can an attacker gain control over your application server through the application?
- Can an attacker or malicious individual use your application as an entry point to your internal network?
- Is our web application infrastructure vulnerable?
- Is our code vulnerable? Or can attackers manipulate the website or back-end database by injecting malicious code?
In subsequent blogs we will cover these questions and others. We will also cover how long a web application penetration test takes, the cost, our methodology, and much more. In the meantime, please reach out today to learn more about cybersecurity services and how we can help your institution.
About the Author:
JR Johnson is the Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida. And, a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
