What to expect from a web application penetration test
What is Web Application Security Testing?
According to the Open Web Application Security Project (OWASP):
In other words, a penetration test is a process in which methodologies and techniques are used in an attempt to identify security weaknesses and flaws that could allow a malicious attacker to cause harm or gain unauthorized access to, the resources located in the targeted system (such as credit card information, sensitive personal data, etc.). Once the security flaws are identified, an analysis of the potential risks and vulnerability impact is provided alongside remediation measures.
This concept applies to the web environment; in this case, the targeted system is the web application, and the evaluation is performed in the context of the website and its associated services, rather than the infrastructure in which it is hosted.
The Cyber Security Landscape
The numbers don’t lie: in 2017 the total amount of registered vulnerabilities has more than doubled its numbers on 2016, according to the Common Vulnerabilities and Exposures (CVE) database, skyrocketing from 6,447 registered vulnerabilities in 2016 to 14,712 in 2017 (Figure 1).
This is truer than ever for web applications. As the development and availability of new technologies such as APIs, IoT devices increased, the amount of potential risks and threats grows consequently. The total amount of published Cross-Site Scripting (XSS) vulnerabilities in the CVE database increased by 304.83%; from 497 registered in 2016 to 1,151 in 2017 (Figure 2).
As for SQL Injection (SQLi) vulnerabilities, the increase was of an astonishing 535.12%, jumping from 94 in 2016 to 503 in 2017 (Figure 3).
These examples show a growing trend for two of the most critical threats to Web Application Security in the OWASP Top Ten 2017, a widely-known security awareness document with the ranking of the most critical risks for web applications.
Similarly, attackers were able to steal personal data belonging to thousands of World Trade Organization officials around the world through a SQL Injection flaw in the WTO website in 2015.
Identify potential risks and security flaws within the web application’s context
Evaluate the vulnerabilities existing in the web application by performing a security test
Implement the security fixes and technical remediation required to mitigate the identified vulnerabilities
Monitor the effectiveness of the implemented fixes and the security compliance of newly implemented features and components.
These phases are executed continuously to identify, evaluate and mitigate newly discovered vulnerabilities that may affect an organization’s web applications. This allows organizations to maintain continuous control of the security status of the web application and to implement security updates when required, therefore heightening the security status of their websites and maximizing the value of performing security tests.
How a Web Application Penetration Test is Performed
Phase 1: Discovery and Crawling
Phase 2: Vulnerability Assessment
Simulated attack scenarios include, for example, unauthorized access to parts of the website only available to authenticated users or users with proper privilege rights, attempts to retrieve sensitive information that should only be accessed by a specific group of users or trying to modify the content of the site in an attempt to deceive or trick a victim.
These testing scenarios include, but are not limited to, the OWASP Top Ten 2017 and Web Application Security Consortium’s Threat Classification. Additionally, the status of the web server hosting the targeted application is also checked for possible misconfigurations, which can result in security flaws that could be exploited by an attacker.