-
What Is Tested In A Web App Pen Test?
Configuration Management
Comprehending the deployed configuration of your server/infrastructure hosting your web applications is nearly as critical as testing the application itself. After all, an application chain is only as strong as its weakest link, and you can be rest assured those with non-honorable intentions will be seeking these weak points to launch cyberattacks or gain access to your valuable data. Application platforms are wide and varied, but some key platform configuration errors have the ability to compromise your web application in the same way an unsecured application can compromise your web server (insecure HTTP methods, old/backup files).
Example testing includes: TLS Security, Database Listeners, File Extension Handling, and Cross-Site Tracing.
Authentication Testing
Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example of this is the logon process. Any weak point in this process can result in a massive data breach if you're not careful. As a step in our pentesting methodology, we test the authentication schema. Once we do so, it enlightens us to see how your current authentication process works and then use this information to try to circumvent the authentication mechanisms. Any weaknesses identified in this step can be effectively remedied to prevent bad actors from passing authentication steps to access your sensitive information.
Example testing includes: Brute Force Testing, User Enumeration, Transport Layer Security.
Session Management
Session Management is defined as the set of all controls governing the stateful interaction between a user and the web application they are interacting with. In general, this covers anything from how user authentication is carried out to what happens when the user logs out of your web application.
Example testing includes: Session Fixation, Cross Site Request Forgery, Cookie Management, and Session Timeout.
Authorization Testing
Authorization Testing is the part of our methodology that involves understanding how your authorization process works and using that information to circumvent the authorization mechanism. Since authorization is the process that comes after successful authentication, the pen tester will verify this point after he/she holds valid credentials that align with a well-defined set of roles and privileges. If not, our testers will determine where any lapses are in this part of your security posture and identify how to fix any weaknesses or discrepancies found.
Example testing includes: Directory Traversal, Privilege Escalation, and Bypassing Authorization Controls.
Data Input Validation
One of the most common web application security weaknesses is the failure to properly validate input coming from the client or from the environment before using it. This particular weakness is one of the primary causes of all of the major vulnerabilities present in web applications. This includes cross-site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
Example tests include: Cross-Site Scripting, SQL Injection, OS Commanding, and Server Side Injection.
Denial-of-Service (Optional)
A denial of service (DoS) attack is when a bad actor attempts to make a web application (or other important resources) unavailable to legitimate users. Traditionally, DoS attacks have been network-based. For example, a person with malicious intentions wants to flood a target machine with enough traffic to render it incapable of servicing legitimate users. However, there are other types of vulnerabilities present at the application level that can allow a malicious user to make certain functionality unavailable, which can put a significant damper on day-to-day operations or transactions (not to mention frustrate legitimate users or customers).
Typically, these problems are caused by bugs in the application and are often triggered by malicious or unexpected user input. This phase of our testing will put an emphasis on application layer attacks against availability that can be launched by just one malicious user on a single machine.
We recognize not all of our clients will have an appetite for DoS testing and, if this is the case, it may not be a component of each and every penetration test we perform. This is a step we'll discuss with you to determine if this portion of testing would provide value to you.
Web / API Services
Web services have certain elements of exposure just like any other type of protocol or service. What is different is web services can be used on HTTP, FTP, SMTP, or MQ, among other transport protocols. As a result, we'll look for vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities.
Example tests include: Information Gathering, Fuzzing, and Replay Testing.
