See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/367052446

"A STUDY OF WEB APPLICATION PENETRATION TESTING"

Article · June 2019

CITATION READS

1 493

1 author:

Kailash Kumar Pareek

Chandigarh University
12 PUBLICATIONS 234 CITATIONS

SEE PROFILE

All content following this page was uploaded by Kailash Kumar Pareek on 12 January 2023.

The user has requested enhancement of the downloaded file.

International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

“A STUDY OF WEB APPLICATION

PENETRATION TESTING”

Kailash Kumar Pareek

Assistant Professor, School of Engineering & Technology, RNB Global University

ABSTRACT
Web Application Penetration Testing plays an important role in the practice of simulating attacks on a
system in an attempt to gain access to sensitive data, with the purpose of determining whether a system
is secure. In today time it is very difficult to secure company data from the cyber-attacks. Whenever we
think about the attacks the first thing that comes to our mind is ‘cyber attacks’ which are increasing
immensely day byday. Various Governments and companies are hiring experts to prevent these cyber
arracks. Besides various experts hiring cyber security is still a very big issue. This paper mainly focuses
on types of web application penetration testing, phases of web application penetration testing, OWASP
top 10 web application security risks and tools of web application penetration testing.

Keywords: Vulnerability, Types of Web Application Penetration Testing, Security Risks, Web application
penetration tools.

1. INTRODUCTION 2. DIFFERENT TYPES OF

PENETRATION TESTING
Vulnerability Assessment and Penetration Testing
(VAPT) are both security services that focus on Pen-testers are usually categorized as White Box
identifying vulnerabilities in the network, server Pentest, Black Box Pentest, and Grey Box Pentest,
and system infrastructure. Both the services serves depending upon the amount of information made
a different purpose and are carried out to achieve accessible to the Pen-testers.
different but complimentary goals. Vulnerability
Assessment focuses on internal organizational
2.1 White box penetration testing:
security, while Penetration Testing focuses on
external real-world risk. Vulnerability Assessment
(VA) is a rapid automated review of network In this testing the pen-testers are fully
devices, servers and systems to identify key informed about the internal makeup of their
vulnerabilities and configuration issues that an target software system.
attacker may be able to take advantage off. Its
generally conducted within the network on internal 2.2 Black box penetration testing:
devices and due to its low footprint can be carried
out as often as every day. In this testing the pen-testers operate with no
Penetration Testing (PT or PenTest)is an in-depth internal knowledge of the target.
expert-driven activity focused on identifying
various possible routes an attacker could use to 2.3 Grey box approach to penetration
break into the network. In-addition with the testing:
vulnerabilities it also identifies the potential
damage and further internal compromise an In this approach, it is a combination of white
attacker could carry out once they are past the box and black box where the pen-testers are
perimeter. provided with limited information about the
Web Application Penetration Testing is security target.
testing methods for security holes or
vulnerabilities in web applications and corporate The penetration testing phases that we will
websites. Due to these vulnerabilities, websites are discuss here are relevant for all of these
left open for exploitation. approaches.

1 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

3. WEB APPLICATION researching for exploits that will succeed

PENETRATION against those faults or vulnerabilities and
compromise the web application.
TESTING
Web Pen Test Steps and Methods
Web application penetration testing involves a ● Information Gathering
methodological series of steps aimed at ● Research and Exploitation
gathering information about the target system, ● Reporting and Recommendations
finding vulnerabilities or faults in them,
● Remediation and On-going Support There are two kinds of reconnaissance:

4. PHASES OF PENETRATION ● Active reconnaissance: The pen-testers

engage directly with the target system to
TESTING WEB gather information. While this is a more
APPLICATION accurate approach to reconnaissance, it
makes more noise since the intruder
4.1 Phase I: Pre-engagement phase of interacts with the system.
Pen- testing ● Passive reconnaissance: In this mode, the
intruder does not interact with the target
This is the stage where the logistics and the rules system and applies different passive
of engagement of the test are discussed. The strategies instead to gather information.
VAPT providers and the target organization can They can try to eavesdrop on network
discuss the legal implications of the exercise. The traffic, trace OS foot printing, or internet
objective of the test is determined, and the goals foot printing.
of the pen- test are aligned with the specific
requirements of a business. You may want to keep When it comes to attacking a web application,
certain areas off limits for the pen-testing team; mapping is an important part of the recon
this is the phase to clarify all of that. operation. This step helps the attacker to look at
all the pieces of application at one place and form
This is also the time when the scope of the an
penetration test is defined. understanding of how the app works.
Determining the scope of the penetration test An application has many implemented
ensures that both the target and the tester know functionalities and understanding them is crucial
what to expect from the test. There are certain for the success of the subsequent penetration
assets that the pen-testers are allowed to test, testing phases.
those are within the scope of the pen-test, others
are not. Similarly, the target organization’s 4.3 Phase III: Discovery
security posture is tested for a predetermined set
of vulnerabilities, anything out of that set is out The discovery phase can be divided into
of scope for the pen-test. The scope of the pen- two parts:
test greatly influences all the subsequent
penetration testing phases. ● Further information gathering
● Vulnerability scan
4.2 Phase II: Reconnaissance
The first part involves gathering more
To simulate a cyber-attack on an application or a information about the target network using a
network, the pen-tester needs access to bunch of different techniques. Let us talk about
information about the target. They gather this a few of them.
information in the reconnaissance stage. Hackers can uncover hostnames and IP
Whether a hacker wants to target an entire information using techniques like DNS
network or a single web application, they need to interrogation, Inter NIC queries, and network
know as much as they can. That is exactly how a sniffing. Banner grabbing can be used to
pen-tester too approaches the target. The scoping uncover application and service information.
done in the previous phase helps the pen-tester During an internal test, the tester can uncover
narrow down the recon to increase efficiency. system information such as names and shares
using NetBIOS enumeration.
The second part consists of testing the

2 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

application or the operating system for known The pen-testers have to be very careful while
vulnerabilities. You can get an automated scan conducting this phase to ensure that the business
where the system is tested against a functionalities are not compromised or hindered.
vulnerability database. Or you can go for a Nevertheless, system crashes during penetration
manual scan where security engineers testing are very rare.
manually scan the systems. The latter is more The post exploitation phase is after the pen-tester
suitable for uncovering new and hidden has exploited a vulnerability and identified an
vulnerabilities whereas the former is faster. entry point to the system the next job is to
determine the value of that entry point. The
4.4 Phase IV: Vulnerability Analysis questions they ponder upon are
● How much access does the entry point
You will discover various threat sources yield?
● How easy is it to maintain access?
during a security scan. It is important to tie
● How much time may pass before the
each of those threat sources to breach is spotted?
a vulnerability and then ● What is the degree of harm that the
prioritize it depending on the vulnerability may cause?
risk it poses to the system. The exploitation and post exploitation phases help
You need a well-defined and consistent the tester gain access, locate sensitive data,
process of analyzing the vulnerabilities in identify communication channels, etc. They can
terms of severity and risk. It is the job of a also try and exploit the connection between
VAPT provider to analyses different systems within the network and expand
the vulnerabilities and create a the breach.
The extent to which a pen-tester may exploit a
clear picture for you to understand and act
certain vulnerability is determined by the rules of
upon. engagement agreed upon in the pre-engagement
While it is difficult to assign an exact stage.
number to a vulnerability, a lot of VAPT
companies use a semi quantitative method 4.6 Phase VI: Reporting and
of rating the vulnerabilities. Recommendations
The Common Vulnerability Scoring System All the previous penetration testing phases
(CVSS) is a globally accepted method of contribute to these phases where a VAPT report is
producing a numerical score based on the created and shared with the client. In the reporting
severity of vulnerability. The CVSS score helps phase, the pen-testers provide detailed
you rate vulnerability as low, medium, or high in information about the vulnerabilities such as,
terms of severity. You can prioritize one ● The description of the vulnerabilities.
vulnerability over others depending on these ● Ratings according to a common
factors, when it comes to remediation, the last vulnerability scoring system.
one of the Penetrationtesting phases. ● Severity and impact of vulnerability.
The assessment of vulnerabilities is usually ● Risk assessment report.
performed in line with various security and risk ● Video POCs.
assessment standards such as the Risk Assessment ● Recommendations for fixing the
Guide for Information Technology Systems by the vulnerabilities.
National Institute of Standards and Technology
(NIST), ISO 27001, HIPAA, and more.
The quality of a VAPT report determines how
quickly and how efficiently you will reproduce
4.5 Phase V: Exploitation and Post
and remove the vulnerabilities from your
Exploitation system.
The previous phases prepare the stage for the
4.7 Remediation and Rescan
exploitation phase. The goal here is establishing
access to a system using the loopholes uncovered
in the earlier phases of The VAPT report consists of step-by-step
Penetration testing. The pen-tester tries to identify recommendations for fixing the
an entry point and then look for assets that can be vulnerabilities. Your developers can follow
accessed through that. those recommendations to close the gaps in

21 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

your application security. The VAPT company requirements and model threats, and development
you are partnering with for the security testing time should be budgeted to allow for these
should help you at every step of this process. requirements to be met. As software changes,
An ideal remediation phase looks something your team should test assumptions and conditions
like this: for expected and
● Vulnerabilities are reported with failure flows, ensuring they are still accurate and
detailed remediation steps. desirable. Failure to do so will let slip critical
● There is video based assistance from information to attackers and fail to anticipate
the security engineers. novel attack vectors.
● Developers get on a call to discuss
the remediation steps when needed. 5.4 Security Misconfiguration
● Once the vulnerabilities are fixed, the
VAPT company should offer rescans Your software is only as secure as you configure
to it to be. Using ad hoc configuration standards can
● identify any security loopholes that lead to default accounts being left in place, open
might have been left unattended. cloud storage, misconfigured HTTP headers, and
● verbose error messages containing sensitive
information. Not only must all operating systems,
5. OWASP TOP 10 WEB frameworks, libraries, and applications be
APPLICATION securely configured, but they must be
patched/upgraded in a timely fashion.
SECURITY RISKS
5.1 Broken Access Control
5.5 Vulnerable and Outdated
Access control enforces policy such that users Components
cannot act outside of their intended permissions.
Failures typically lead to unauthorized Components, such as libraries, frameworks, and
information disclosure, modification, or other software modules, run with the same
destruction of all data or performing a business privileges as the application. If a vulnerable
function outside the user's limits. component is exploited, such an attack can
facilitate serious data loss or server takeover.
Applications and APIs using components with
5.2 Cryptographic Failures
known vulnerabilities may undermine application
defenses and enable various attacks and impacts.
Many web applications and APIs do not
properly protect sensitive data with strong
5.6 Identification and Authentication
encryption. Attackers may steal or modify such
weakly protected data to conduct credit card Failures
fraud, identity theft, or other crimes. Sensitive
data must be encryption at rest and in transit, Application functions related to authentication
using a modern (and correctly configured) and session management are often implemented
encryption algorithm. incorrectly, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit
other implementation flaws to assume other users’
5.3 Injection
identities temporarily or permanently.
Injection flaws, such as SQL, NoSQL, OS, and
5.7 Software and Data Integrity Failures
LDAP injection, occur when untrusted data is
sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the Software and data integrity failures relate to code
interpreter into executing unintended commands and infrastructure that does not protect against
or accessing data without proper authorization. integrity violations. An example of this is where
an application relies upon plugins, libraries, or
modules from untrusted sources, repositories, and
Insecure Design
content delivery networks (CDNs). An insecure
deployment pipeline can introduce the potential
Pre-coding activities are critical for the design of for unauthorized access, malicious code, or
secure software. The design phase of your
system compromise.
development lifecycle should gather security
Lastly, many applications now include auto-

22 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

update functionality, where updates are actually having one.

downloaded without sufficient integrity
verification and applied to the previously
6.2 NMAP
trusted application. Attackers could potentially
upload their own updates to be distributed and NMAP is short for Network Mapper. It is an
run on all installations. open-source tool that helps you map a
network by scanning ports, discovering
5.8 Security Logging and Monitoring operating systems, and creating an inventory
Failures of devices and the services running on them.
Insufficient logging and monitoring, coupled It sends differently structured packets for
with missing or ineffective integration with different transport layer protocols which
incident response, allows attackers to further return with IP addresses and other
attack systems, maintain persistence, pivot to information. You can use this information for
more systems, and tamper, extract, or destroy Metasploit currently includes nearly 1677
data. Most breach studies show time to detect a exploits along with almost 500 payloads
breach is over 200 days, typically detected by
that include
external parties rather than internal processes or
monitoring. ● Command shell payloads
● Dynamic payloads
5.10. Server-Side Request Forgery ● Meterpreter payloads
● Static payloads
Server-Side Request Forgery (SSRF) flaws The framework also includes listeners,
occur whenever a web application fetches a encoders, post-exploitation code, and
remote resource without validating the whatnot.
user- supplied URL. It allows an attacker to
coerce the application to send a crafted ● Host discovery
request to an unexpected destination, even ● OS fingerprinting
when protected by a firewall, VPN, or ● Service discovery
another type of network access control list
● Security auditing
(ACL).
You can use the tool for a large network with
thousands of devices and ports.
6. DIFFERENT TYPES OF WEB
APPLICATION PENETRATION
6.3 WireShark
TESTING TOOLS
6.1 Astra’s Pentest
WireShark is another famous open-source
tool that you can use for protocol analysis. It
Astra Security has been driven by the urge allows you to monitor network activities at a
to simplify web application security for microscopic level. It is a growing platform
users. Astra’s Pentest has taken this
with thousands of developers contributing
philosophy home. This web application
from across the world.
penetration testing tool comes with great
advantages. For instance, you can integrate With WireShark you can perform
CI/CD tools with Astra’s pentest suite, so
whenever there is a code update, it launches
● Live capture and offline analysis
an automated scan.
● Inspection of hundreds of different
Moreover, you can integrate it with say,
protocols
Jira or Slack, which means you can assign
● Browse captured data via GUI
pentest and remediation-related tasks to
your team members without them having ● Decrypt protocols
access to the suite. Of course, the pentest ● Read live data from Ethernet, and a
suite itself allows you to connect with number of other mediums
developers and security experts. It is like ● Export output to XML, PostScript,
having an in-house security team, without CSV, or plain text

23 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

WireShark is the industry standard for

protocol analysis in many different sectors. If
you know what you are doing, it is a great
tool to use.

6.4 Metasploit

Metasploit is a Ruby-based open-source

framework, used by both ethical hackers and
malicious actors to probe systematic
vulnerabilities on networks and servers. The
Metasploit framework also contains portions
of fuzzing, anti-forensic, and evasion tools. It
is easy to install and can work on a wide
range of platforms regardless of the
languages they run on. The popularity and the
wide availability of Metasploit among
professional hackers make it an important
tool for Penetration Testers as well.
6.5 Burp Suite

Burp Suite is a set of penetration testing

tools by Portswigger Web Security. It is
used by ethical hackers, pen-testers, and
security engineers. It is like a one-stop-shop
for bug bounty hunters and security
researchers. Let us take a look at a few
tools included in Burp Suite.
● Spider: It is a web crawler. You
can use it to map the target
application. It lets you create an
inventory of all the endpoints,
monitor their functionalities, and
look for vulnerabilities.
● Proxy: As explained earlier, a
proxy sits between the browser and
the internet to monitor, and modify
the requests and responses in
transit.
● Intruder: It runs a set of values
through an input point and lets you
analyze the output for success,
failure and content length.
These aside the suite includes Repeater,
Sequencer, Decoder, Extender, and some
other add-on tools.

24 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
International Journal in IT & Engineering (IJITE)
Volume 7 Issue 6, June 2019 ISSN: 2321-1776 Impact Factor: 6.493
Journal Homepage: http://ijmr.net.in, Email: [email protected]
Double-Blind Peer Reviewed Refereed Open Access International Journal

8. CONCLUSION

Computer security is a vast topic that is

becoming more important because the world is
becoming highly interconnected, with networks
being used to carry out critical transactions.
Cyber-crime continues to diverge down different
paths with each New Year that passes and so
does the security of the information. The latest
and disruptive technologies, along with the new
cyber tools and threats that come to light each
day, are challenging organizations with not only
how they secure their infrastructure, but how
they require new platforms and intelligence to
do so. There is no perfect solution for cyber-
crimes but we should try our level best to
minimize them in order to have a safe and secure
future in cyber space.

REFERENCES

1. https://portswigger.net/

2. https://tryhackme.com/

3. https://www.hackerone.com/

4. https://medium.com/

5. https://mobile-
security.gitbook.io/mobile-security-
testing-guide/overview/0x03-verview

6. https://book.hacktricks.xyz/

7. https://www.udemy.com/course/postman
-masterclass-and-rest-api-testing/

25 International Journal in Management and Social Science

http://ijmr.net.in, Email: [email protected]
View publication stats