Beginners’ Tips on Web Application Penetration Testing

Penetration testing aka Pen Test is the most commonly used security testing technique for web
applications.
Web Application Penetration Testing is done by simulating unauthorized attacks internally or
externally to get access to sensitive data.
A web penetration helps end user find out the possibility for a hacker to access the data from the
internet, find about the security of their email servers and also get to know how secure the web
hosting site and server are.
Why Penetration Testing is required
When we talk about security, the most common word we hear is Vulnerability.
When I initially started working as a security tester, I used to get confused very often with this
word Vulnerability, and I am sure many of you, my readers would fall in the same boat.
For the benefit of all my readers, I will first clarify the difference between vulnerability and pen
testing.
What is Vulnerability? The vulnerability is a terminology used to identify flaws in the system
which can expose the system to security threats.

Vulnerability Scanning or Pen Testing?

Vulnerability Scanning lets the user find out the known weaknesses in the application and defines
methods to fix and improve the overall security of the application. It basically finds out if security
patches are installed, whether the systems are properly configured to make attacks difficult.
Pen Tests mainly simulates real-time systems and helps the user find out if the system can be
accessed by unauthorized users, if yes then what damage can be caused and to which data etc.
Hence, Vulnerability Scanning is a detective control method which suggests for ways to improve
security program and ensure known weaknesses do not resurface whereas, pen test is a preventive
control method which gives an overall view of the system’s existing security layer.
Though, both the methods have its importance, but it will depend on what really is expected as
part of the testing.
As testers, it is imperative to be clear on the purpose of the testing before we jump into testing. If
you are clear on the objective, you can very well define if you need to do a vulnerability scan or
pen testing.
Importance and the need for Web App Pen Testing

• Pentest Helps in identifying unknown vulnerabilities.

• Helps in checking the effectiveness of the overall security policies.
• Help in testing the components exposed publicly like firewalls, routers, and DNS.
• Lets user find out the most vulnerable route through which an attack can be made
• Helps in finding the loopholes which can lead to theft of sensitive data.

If you look at the current market demand, there has been a sharp increase in the mobile usage,
which is becoming a major potential for attacks. Accessing websites through mobiles are prone
to more frequent attacks and hence compromising of data.
Penetration Testing thus becomes very important in ensuring we build a secure system which
can be used by users without any worries of hacking or data loss.

Types of Web Penetration Testing

Web applications can be penetration tested in 2 ways. Tests can be designed to simulate an
inside or an outside attack.

1 Internal Penetration Testing

As the name suggests, the internal pen testing is done within the organization over the LAN,
hence it includes testing web applications hosted on the intranet.

This helps in finding out if there could be vulnerabilities which exist within the corporate
firewall.

We always believe attacks can happen only externally and many a time’s internal Pentest is
overlooked or not given much importance.

Basically, it includes Malicious Employee Attacks by disgruntled employees or contractors

who would have resigned but aware of the internal security policies and passwords, Social
Engineering Attacks, Simulation of Phishing Attacks, and Attacks using User Privileges or
misuse of an unlocked terminal.

Testing is mainly done by accessing the environment without proper credentials and
identifying if an

2 External Penetration Testing

These are attacks done externally from outside the organization and include testing web
applications hosted on the internet.
Testers behave like hackers who aren’t much aware of the internal system.

To simulate such attacks, testers are given the IP of the target system and not provided any
other information. They are required to search and scan public web pages and find our
information about target hosts and then compromise the found hosts.

Basically, it includes testing servers, firewalls, and IDS.

Web Penetration Testing Methodology

The methodology is nothing but a set of security industry guidelines on how the testing should be
conducted. There are some well-established and famous methodologies and standards which can be
used for testing, but since each web application demands different types of test to be performed,
testers can create their own methodologies by referring the standards available in the market.

Some of the Security Testing Methodologies and standards are;

• OWASP (Open Web Application Security Project)

• OSSTMM (Open Source Security Testing Methodology Manual)
• PTF (Penetration Testing Framework)
• ISSAF (Information Systems Security Assessment Framework)
• PCI DSS (Payment Card Industry Data Security Standard)

Test Scenarios

Listed below are some of the test scenarios which can be tested as part of Web Application
Penetration Testing (WAPT)

1. Cross Site Scripting

2. SQL Injection
3. Broken authentication and session management
4. File Upload flaws
5. Caching Servers Attacks
6. Security Misconfigurations
7. Cross Site Request Forgery
8. Password Cracking.

Even though I have mentioned the list, testers should not blindly create their test methodology
based on above conventional standards.
For Example:
Consider you are asked to penetration test an eCommerce website, now give it a thought if all
vulnerabilities of an eCommerce website can be identified using the conventional methods of
OWASP like XSS, SQL injection etc.
The answer is a No because eCommerce works on a very different platform and technology when
compared to other Websites. In order to make your pen testing for eCommerce website effective,
testers should design a methodology involving flaws like Order Management, Coupon and
Reward Management, Payment Gateway Integration and Content Management System
Integration.
So, before you decide on the methodology, be very sure on what types of website are expected
to be tested and which method will help in finding the maximum vulnerabilities.

How to Approach Web Application Penetration Testing

Approach to Web Application Penetration Testing involve 3 phases, forming a cycle.

WAPT Phases

Attack/Execution Post-Execution
The Planning Phase
Phase Phase

Phases of Web Application Penetration Testing

1 Planning Phase (Before Testing)

Before testing starts, it is advisable to plan what types of testing will be performed, how the testing
will be performed, determine if QA needs any additional access to tools etc.

• Scope definition: This is same like our functional testing where we define the scope of
our testing before starting our test efforts.
• Availability of Documentation to Testers: Ensure Testers have all the required
documents like documents detailing the web architecture, integration points, web
services integration etc. The tester should be aware of the HTTP/HTTPS protocol basics
and know about the Web Application Architecture, traffic interception ways.
• Determining the Success Criteria: Unlike our functional test cases, where we can derive
expected results from user requirements/functional requirements, pen testing works on
a different model. The Success criteria or the test case passing criteria needs to be defined
and approved.
• Reviewing the test results from the Previous Testing: If prior testing was ever done, it is
good to review the test results to understand what vulnerabilities existed in the past and
what remediation was taken to resolve. This always gives a better picture to the testers.
• Understanding environment: Testers should gain knowledge about the environment
before starting testing. This step should ensure to give them an understanding on
firewalls, or other security protocols which would be required to be disabled to perform
the testing. Browser to be tested should be converted into an attack platform, usually
done by changing proxies.

2 Attacks/Execution Phase (During Testing)

Web Penetration testing can be done from any location, given the fact that there shouldn’t be
restrictions on ports and services by the internet provider.

• Ensure to run a test with different user roles: Testers should ensure to run tests with
users having different roles since the system may behave differently with respect to users
having different privilege.
• Awareness on how to handle Post-Exploitation: Testers must follow the Success Criteria
defined as part of Phase 1 to report any exploitation, also they should follow the defined
process of reporting vulnerabilities found during testing. This step mainly involves the
tester to find out what needs to be done after they have found that the system has been
compromised.
• Generation of Test Reports: Any Testing done without proper reporting doesn’t help
organization much, same is the case with penetration testing of web applications. To
ensure the test results are properly shared with all stakeholders, testers should create
proper reports with details on vulnerabilities found, the methodology used for testing,
severity and the location of the problem found.
3 Post Execution Phase (After Testing)

Once the testing is complete and test reports shared with all concerned teams, the following list
should be worked upon by all –

• Suggest remediation: Pen Testing shouldn’t just end by identifying vulnerabilities. The
concerned team including a QA member should review the findings reported by Testers
and then discuss the remediation.
• Retest Vulnerabilities: After the remediation is taken and implemented, testers should
retest to ensure that the fixed vulnerabilities did not appear as part of their retesting.
• Clean-up: As part of the Pentest, testers make changes to the proxy settings, so clean up
should be done and all changes reverted back.

Defining a threat
Planning Phase

Post-Execution Phase 1

Design a test Analyze

plan corresponding
reports

2 5

Attacks Execution Phase

Execute the test Write out

plan corresponding
reports

3 4

Steps/Cycle of Web Application Penetration Testing

Top Penetration Testing tools

Now, since you have already read the full article, I believe now you have a much better idea on
what and how can we penetration test a web application.
So, tell me, can we manually perform Penetration testing or does it always happen by automating
using a tool. No doubt, I think majority of you are saying Automation.
That’s true because automation brings in speed, avoids manual human error, excellent coverage,
and several other benefits but as far as Pen Test is concerned, it does require us to perform some
manual testing.
Manual Testing helps in finding vulnerabilities related to Business Logic, reducing the false
positives.
Tools are prone to give a lot of false positives and hence manual intervention is required to
determine if they are real vulnerabilities.
Tools are created to automate our testing efforts. Please find below list of some of the tools
which can be used for Pentest:
1. Free Pen Test tool
2. Veracode
3. Vega
4. Burp Suite
5. Net Sparker
6. Arachni
7. Acunetix
8. ZAP

Some Penetration Testing Certifications

If you are interested to get certified on web app penetration certification, you can opt for
below certifications:

• OSWE (Offensive Security Web Expert)

• GWAPT (GIAC Web Application Penetration Tester)
• CWAPT (Certified Web App Penetration Tester)
• eWPT (elearnSecurity Web Application Penetration Tester)
Conclusion
In this tutorial, we presented steps in Web Application Penetration Testing.
With the given information, anyone with the faintest idea on web app pen-testing can begin
and has also seen reasons why pen-testing is essential especially on applications.

Documentation
By
HACKERSPLOIT