Web application penetration test

Web Application penetration testing could use combination of automated and manual methods in order to exploit discovered vulnerabilities, security flaws and threads in web applications. In other words the testing simulates the activities of a malicious hacker by representing the methods and tools which the hacker would use. Security vulnerabilities could be discovered in front end and back end systems, databases, programming code, authentication mechanisms and more. After that the test discovers and prioritizes the discovered vulnerabilities. After all the test represents options for remediation of the discovered vulnerabilities. In addition the web application penetration test also examines all communication channels and APIs.
In cases when mobile application is also present, mobile application penetration test might also be required.

Methodology

  • Introduction and Objectives
  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Input Validation Testing
  • Error Handling
  • Cryptography
  • Business Logic Testing
  • Client Side Testing

White box vs Black box testing

  • Black Box Testing – It requires no knowledge of internal paths, structures, or implementation of the tested software.
  • Gray Box Testing – In Gray Box testing a tester attempts to find security bugs with incomplete information of the software product’s inner code structure.
  • White Box Testing – White Box testing provides the tester with knowledge of the application structure and functionality. In other words the purpose of the white box testing is to test the application from developer’s point of view.

Reporting

Penetration testing report covers the activities, performed during the penetration testing. Therefore the report represents the discovered vulnerabilities in two parts:

Management part

It is intended for the management of the structure and contains:

  • A general description of the security of the systems.
  • The impact that the discovered vulnerabilities might have on the information security.
  • Required security measures to address the problems.

Technical part

After that it provides an overview for the technical department of the structure and contains:

  • Definition and classification of risk levels, used to classify the detected vulnerabilities.
  • Description of the information gathering phase for identifying information systems.
  • Results of scanning and exploitation of detected vulnerabilities, description, impact, criticality, affected asset, proof of concept, vulnerability replication method, and remediation steps.

web application