Penetration Test – Application Penetration Testing
- Penetration Test – Application Penetration Testing
The primary objective for a web application penetration test is to identify exploitable vulnerabilities in applications before hackers are able to discover and exploit them. Web application penetration testing will reveal real-world opportunities for hackers to be able to compromise applications in such a way that allows for unauthorized access to sensitive data or even take-over systems for malicious/non-business purposes.
This type of assessment is an attack simulation carried out by our highly trained security consultants in an effort to:
- Identify application security flaws present in the environment
- Understand the level of risk for your organization
- Help address and fix identified application flaws
RedTeam Security application penetration testers have experience developing software —not just trying to break it. They leverage this experience to zero in on critical issues and provide actionable remediation guidance.
As a result of our penetration tests, you’ll be able to view your applications through the eyes of both a hacker and an experienced developer to discover where you can improve your security posture. Our consultants produce findings in written reports and provide your team with the guidance necessary to effectively remediate any issues we uncover.
RedTeam Security’s web application penetration testing service utilizes a comprehensive, risk-based approach to manually identify critical application-centric vulnerabilities that exist on all in-scope applications.
1. Information Gathering
2. Threat Modeling
3. Vulnerability Analysis
Using this industry-standard approach, RedTeam’s comprehensive method covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2013 including, but not limited to: Injection, Cross-Site Scripting, Cross-Site Request Forgery, Unvalidated Redirects & Forwards, Broken Authentication & Session Management, Security Misconfiguration, Insecure Direct Object Access and more…
Manual Testing vs Automated Testing
RedTeam’s approach consists of about 80% manual testing and about 20% automated testing – actual results may vary slightly. While automated testing enables efficiency, it is effective in providing efficiency only during the initial phases of a penetration test. At RedTeam Security, it is our belief that an effective and comprehensive penetration test can only be realized through rigorous manual testing techniques.
In order to perform a comprehensive real-world assessment, RedTeam Security utilizes commercial tools, internally developed tools and the same tools that hacker use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.
We consider the reporting phase to mark the beginning of our relationship. RedTeam strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverable. We provide clients with an online remediation knowledge base, dedicated remediation staff and ticketing system to close the ever important gap in the remediation process following the reporting phase.
We exist to not only find vulnerabilities, but also to fix them.
Remediation & Re-testing
Simply put, our objective is to help fix vulnerabilities, not just find them. As a result, remediation re-testing is always provided at no additional cost.
Each and every web application penetration test is conducted consistently using globally accepted and industry standard frameworks. In order to ensure a sound and comprehensive penetration test, RedTeam leverages industry standard frameworks as a foundation for carrying out penetration tests. At a minimum, the underlying framework is based on the Open Web Application Security Project (OWASP), but goes beyond the initial framework itself.
The first phase in a web application penetration test is focused on collecting as much information as possible about a target application. Reconnaissance, aka Information Gathering, is one of the most critical steps of a web app pen test. This is done through the use of public tools (search engines), scanners, sending simple HTTP requests, or specially crafted requests. As a result, it is possible to force the application to leak information, e.g., disclosing error messages or revealing the versions and technologies used.
Example tests include: Error Code Analysis, Fuzzing, Search Engine Recon, App Enumeration and App Fingerprinting
Comprehending the deployed configuration of the server/infrastructure hosting the web application is nearly as critical as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server (insecure HTTP methods, old/backup files).
Example testing includes: TLS Security, Database Listeners, File Extension Handling and Cross Site Tracing
Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.
Example testing includes: Brute Force Testing, User Enumeration, Transport Layer Security and
Session Management is defined as the set of all controls governing the stateful interaction between a user and the web application he/she is interacting with. In general, this covers anything from how user authentication is carried out, to what happens when they log out.
Example testing includes: Session Fixation, Cross Site Request Forgery, Cookie Management and Session Timeout.
Authorization Testing involves understanding how the authorization process works and using that information to circumvent the authorization mechanism. Authorization is a process that comes after a successful authentication, so the pen tester will verify this point after he/she holds valid credentials, associated with a well-defined set of roles and privileges. As a result, it should be verified if it is possible to bypass the authorization schema, find a path traversal vulnerability, or find ways to escalate the privileges.
Example testing includes: Directory Traversal, Privilege Escalation and Bypassing Authorization Controls.
Data Input Validation
The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
Example tests include: Cross Site Scripting, SQL Injection, OS Commanding and Server Side Injection.
A denial of service (DoS) attack is an attempt to make a resource unavailable to its legitimate users. Traditionally, denial of service (DoS) attacks have been network based: a malicious user floods a target machine with enough traffic to make it incapable of servicing its intended users. There are, however, types of vulnerabilities at the application level that can allow a malicious user to make certain functionality unavailable. These problems are caused by bugs in the application and often are triggered by malicious or unexpected user input. This phase of testing will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine.
Not all clients have an appetite for DoS testing, therefore it may not always be a component of each and every penetration test.
Web / API Services
Web services have certain elements of exposure just like any other protocol or service. What’s different is that they can be used on HTTP, FTP, SMTP or MQ among other transport protocols. As a result, vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities.
Example tests include: Information Gathering, Fuzzing and Replay Testing
At RedTeam Security, we consider the Delivery / Reporting phase to be the most important and we take great care to ensure we’ve communicated the value of our service and findings thoroughly. The deliverable consists of an electronic report that includes several key components including, but not limited to: Executive Summary, Scope, Findings, Evidence, Tools and Methodology. In addition to the report, a raw file in comma-separated value (CSV) format is also provided in an effort to optimize the remediation and management of any identified findings.
Findings are communicated in a stakeholder meeting and typically presented in-person or virtually via Webex — whichever medium is most conducive for communicating results effectively. During this time, RedTeam Security consultants will walk through the report, in detail, to ensure all findings and their corresponding description, risk rating, impact, likelihood, evidence and remediation steps are thoroughly understood. While this typically involves a single meeting, there is no limitation to that number. The key underlying message is that all information is clearly understood and that a roadmap toward remediation / mitigation is crystal clear.
Some of the key components to our web application penetration test deliverable include, but are not limited to:
* Control Framework (ie: OWASP, PCI, PTES, OSSTMM)
* Executive Summary Narrative
* Technical Summary Narrative
* Report Summary Graphs
* Summary of Findings
* Findings (Description, Business Impact, Recommendation, Evidence, References, CVSS, Risk Rating Calculation)
* Methodology and Approach
* Risk Rating Factors
Frequently Asked Questions
Why should should I conduct a penetration test?
A penetration test is a simulated attack from the perspective of a bad actor, such as a malicious hacker. The objective is to simulate a cyber security attack and attempt to uncover security vulnerabilities that might otherwise be discovered by hackers. In doing so, you would gain valuable insight into the security posture of the assets and be able to fix them before hackers are able cause serious damage by exploiting them.
How long does it take to conduct a web application penetration test?
The overall time depends on the size and complexity of the in-scope application(s). That said, most tests take anywhere from one week to four weeks, start to finish.
How much does an application penetration test cost?
We get this question a lot and it’s not easy to answer until some level of scoping has been performed. Our scoping process is quick, online and painless. But overall, the complexity of the application will ultimately determine its cost. For example, when determining the work effort, we take the following into account: dynamic pages, APIs, user roles/permissions, overall number of pages, etc.
What’s the difference between a Penetration Test and a Vulnerability Assessment?
We get this question a lot as well. Short answer: Exploitation and Post-Exploitation. Vulnerability assessments do not involve Exploitation while penetration testing goes well beyond a vulnerability assessment and into Exploitation and Post-Exploitation phases.
TRUSTED BY TODAY’S LEADING ORGANIZATIONS
Our Penetration Testing, Social Engineering and Red Teaming services go beyond the checkbox to help prevent data breaches