Penetration testing aka Pen Test is the most commonly used security testing technique for web applications.
Web Application Penetration Testing is done by simulating unauthorized attacks internally or externally to get access to sensitive data.
A web penetration helps end user find out the possibility for a hacker to access the data from the internet, find about the security of their email servers and also get to know how secure the web hosting site and server are.
To know more about Penetration Testing, please read below related articles:
Well, let’s now cover the content of this article.
In this penetration testing tutorial I have tried to cover:
What You Will Learn:
When we talk about security, the most common word we hear is Vulnerability.
When I initially started working as a security tester, I used to get confused very often with this word Vulnerability, and I am sure many of you, my readers would fall in the same boat.
For the benefit of all my readers, I will first clarify the difference between vulnerability and pen testing.
So, what is Vulnerability? The vulnerability is a terminology used to identify flaws in the system which can expose the system to security threats.
Vulnerability Scanning lets the user find out the known weaknesses in the application and defines methods to fix and improve the overall security of the application. It basically finds out if security patches are installed, whether the systems are properly configured to make attacks difficult.
Pen Tests mainly simulates real-time systems and helps the user find out if the system can be accessed by unauthorized users, if yes then what damage can be caused and to which data etc.
Hence, Vulnerability Scanning is a detective control method which suggests for ways to improve security program and ensure known weaknesses do not resurface whereas pen test is a preventive control method which gives an overall view of the system’s existing security layer.
Though, both the methods have its importance, but it will depend on what really is expected as part of the testing.
As testers, it is imperative to be clear on the purpose of the testing before we jump into testing. If you are clear on the objective, you can very well define if you need to do a vulnerability scan or pen testing.
Importance and the need for Web App Pen Testing:
If you look at the current market demand, there has been a sharp increase in the mobile usage, which is becoming a major potential for attacks. Accessing websites through mobiles are prone to more frequent attacks and hence compromising of data.
Penetration Testing thus becomes very important in ensuring we build a secure system which can be used by users without any worries of hacking or data loss.
The methodology is nothing but a set of security industry guidelines on how the testing should be conducted. There are some well established and famous methodologies and standards which can be used for testing, but since each web application demands different types of test to be performed, testers can create their own methodologies by referring the standards available in the market.
Some of the Security Testing Methodologies and standards are –
Listed below are some of the test scenarios which can be tested as part of Web Application Penetration Testing (WAPT):
Even though I have mentioned the list, testers should not blindly create their test methodology based on above conventional standards.
Here’s an example to prove why I am saying so.
Consider you are asked to penetration test an eCommerce website, now give it a thought if all vulnerabilities of an eCommerce website can be identified using the conventional methods of OWASP like XSS, SQL injection etc.
The answer is a No because eCommerce works on a very different platform and technology when compared to other Websites. In order to make your pen testing for eCommerce website effective, testers should design a methodology involving flaws like Order Management, Coupon and Reward Management, Payment Gateway Integration and Content Management System Integration.
So, before you decide on the methodology, be very sure on what types of website are expected to be tested and which method will help in finding the maximum vulnerabilities.
Web applications can be penetration tested in 2 ways. Tests can be designed to simulate an inside or an outside attack.
#1) Internal Penetration Testing –
As the name suggests, the internal pen testing is done within the organization over the LAN, hence it includes testing web applications hosted on the intranet.
This helps in finding out if there could be vulnerabilities which exist within the corporate firewall.
We always believe attacks can happen only externally and many a time’s internal Pentest is overlooked or not given much importance.
Basically, it includes Malicious Employee Attacks by disgruntled employees or contractors who would have resigned but aware of the internal security policies and passwords, Social Engineering Attacks, Simulation of Phishing Attacks, and Attacks using User Privileges or misuse of an unlocked terminal.
Testing is mainly done by accessing the environment without proper credentials and identifying if an
#2) External Penetration Testing –
These are attacks done externally from outside the organization and include testing web applications hosted on the internet.
Testers behave like hackers who aren’t much aware of the internal system.
To simulate such attacks, testers are given the IP of the target system and not provided any other information. They are required to search and scan public web pages and find our information about target hosts and then compromise the found hosts.
Basically, it includes testing servers, firewalls, and IDS.
It can be conducted in 3 phases:
Before testing starts, it is advisable to plan what types of testing will be performed, how the testing will be performed, determine if QA needs any additional access to tools etc.
Web Penetration testing can be done from any location, given the fact that there shouldn’t be restrictions on ports and services by the internet provider.
Once the testing is complete and test reports shared with all concerned teams, the following list should be worked upon by all –
Now, since you have already read the full article, I believe now you have a much better idea on what and how can we penetration test a web application.
So tell me, can we manually perform Penetration testing or does it always happen by automating using a tool. No doubt, I think majority of you are saying Automation. :)
That’s true because automation brings in speed, avoids manual human error, excellent coverage, and several other benefits but as far as Pen Test is concerned, it does require us to perform some manual testing.
Manual Testing helps in finding vulnerabilities related to Business Logic, reducing the false positives.
Tools are prone to give a lot of false positives and hence manual intervention is required to determine if they are real vulnerabilities.
Tools are created to automate our testing efforts. Please find below list of some of the tools which can be used for Pentest:
For more tools, you can also refer – 37 Powerful Pen Testing Tools For Every Penetration Tester
Service Providers are companies providing services catering to the testing needs of the organizations. They usually excel and hold expertise in different areas of testing, and can perform testing in their hosted test environment.
Mentioned below are some of the leading companies who provide penetration testing services:
If you are interested to get certified on web app penetration certification, you can opt for below certifications:
In this tutorial, we presented an overview of how penetration testing is performed for web applications.
With this information, the penetration tester can start vulnerability tests.
Ideally, penetration testing can help us create secure software. It is a costly method so the frequency can be kept as once a year.
Please share your views or experience about Pentest below.