Web Application Testing
At a glance
Penetration testing is a technical assessment aimed at uncovering as many vulnerabilities as possible in the environment under test. Pen tests are performed with a specific aim such as checking whether a client’s data can be stolen or modified
Many web applications process sensitive data including user and financial information, making them of enormous interest to malicious attackers. As the complexity of web applications increases, the range of exploitable vulnerabilities will increase. This is why WCS’s web penetration testing services are so crucial for our clients.
The WCS web application penetration testing methodology is based on the latest version of the web security standard “OWASP Testing guide,” supplemented by the company’s custom security testing process and experience to deliver web application penetration testing best practices. The web application will be investigated for weaknesses in line with the OWASP Top 10, including:
- Input Validation
- Parameter Tampering
- Session Handling
- Information Leakage
- Authentication, Access Control, and Authorization
- Encryption and Certification
- Logical Flaws
- File Upload Functionality
- Susceptibility to fraudulent activity and criminal attack vectors
Web Application Security Testing Methodology
The WCS web application penetration testing methodology for website application security assessments follows a logical flow consisting of a number of distinct but closely inter-related phases that span from information gathering through to exploitation of identified vulnerabilities. All testing phases are pertinent to the web application under test.
For the testing web-based applications, WCS will use a variety of tools, such as Man-In-The-Middle (MITM) proxies and web vulnerability scanners, alongside other open source utilities to investigate web applications and custom scripts and programs to assess the site.
Testing starts with the identification of publicly available information specifically relating to the target web site or application that could prove useful in the following stages of the application test.
Typical information sought includes information about application details, network configurations, architecture and technology in use, personnel, and their roles within the application management structure and possible usernames, authentication formats, and passwords that may be in use.
Then any publicly accessible part of the web application itself will be assessed to look for information that would be useful to an attacker, either in the web source itself or in documents stored on the site.
Web Application Analysis
WCS will identify the protocols, ports, and services that are present on the IP addresses that are associated with hosting the web application using standard IP protocols. A combination of protocol fingerprinting, banner grabbing, and manual communication with the service itself will be employed to enumerate the ports and services to then allow the identification of any application protocols in use and software vendors and versions supporting the application.
Also, any specific infrastructure will be identified to support the application analysis and to detect any known vulnerabilities that could be exploited to attack the application. These include Intrusion Detection / Prevention Systems (IDPs), separate web/application servers, DNS load balancing, Web Application Firewalls (WAFs), and reverse proxies.
All identified ports, services, and web applications will be reviewed for vulnerabilities. Using our test team’s knowledge and experience and repository of vulnerability and exploit information, a map of the services that are present on the systems will be created and potentially exploitable vulnerabilities identified.
The vulnerability analysis is essential in ensuring that subsequent testing does not risk adversely affecting the service or causing a system/application crash.
Application analysis involves the use of a suite of testing tools and access to a valid test user account to assess vulnerabilities from both an unauthenticated and authenticated point of view. Typically the application testing will comprise security testing of:
- Application server (if applicable)
- Client/server protocols and communications path.
- Client application.
The test process includes an attempt at the safe exploitation of application vulnerabilities to determine the extent and implications of exploitation and their business impact.
Should any additional access be gained via exploitation techniques, these are assessed to determine if it is possible to utilize this access to gain further access to other systems and services that may be present.