Ihor
Feoktistov

Guide to Web Application Penetration Testing

#Tech label

The best way to find flaws in your web application is by doing penetration testing, also known as Pen Test or Pen Testing. This is the most widely used security testing strategy for most web applications.

Penetration testing for web applications is carried out by initiating simulated attacks, both internally and externally, in order to get access to sensitive data.

A pen test allows the end user to determine any security weakness of the entire web application and across its components, including the source code, database, and back-end network). This helps the developer in prioritizing the pinpointed vulnerabilities and threats, and come up with strategies to mitigate them.

Why Is Penetration Testing Important? 

Almost everything that we do is done through the internet. From shopping to banking to everyday transactions, most of them can be done digitally. And there are several web applications that can be used to complete these online activities. 

The popularity of web applications has also introduced another vector of attack that malicious third parties can exploit for their personal gains. Since web applications usually store or send out sensitive data, it is crucial to keep these apps secure at all time, particularly those that are publicly exposed to the World Wide Web. 

In a nutshell, penetration testing is a preventive control measure that lets you analyze the overall status of the existing security layer of a system. 

These are the common goals of doing pen testing for web apps:

  • Identify unknown vulnerabilities
  • Check the effectiveness of the existing security policies
  • Test publicly exposed components, including firewalls, routers, and DNS
  • Determine the most vulnerable route for an attack
  • Look for loopholes that could lead to the data theft

When you look at the current internet usage, you’ll find out that there has been a sharp increase in mobile internet usage, which means a direct increase in the potential for mobile attacks. When users access websites or apps using mobile devices, they are more prone to attacks. Hence, pen testing plays a critical part in the software development lifecycle, helping build a secure system that users can use without having to worry about hacking or data theft. 

Get a quote for web app penetration testing

For 7 years of building web and mobile applications, we have learned how to make them secure. Contact us to get a quote for penetration testing services from our cybersecurity experts.

Get a quote

Types of Penetration Testing for Web Applications

Pen testing for web applications can be done in two ways: by simulating an inside or an outside attack. Let’s look at how these different types of attacks are designed and carried out:

Why these 200 tech companies & startups outsource to Ukraine
Download the whitepaper

Method 1: Internal Pen Testing

As the name implies, the internal penetration testing is performed within the organization via LAN, including testing web applications that are hosted on the intranet.

This facilitates the identification of any vulnerabilities that may exist within the corporate firewall. One of the greatest misconceptions is that attacks can only occur externally so developers often overlook or do not give much importance to internal Pentesting.

Some of the internal attacks that can happen include: 

  • Malicious Employee Attacks by aggrieved employees, contractors, or other parties who have resigned but still have access to the internal security policies and passwords
  • Social Engineering Attacks
  • Simulation of Phishing Attacks
  • Attacks using User Privileges 

The pentest is done by trying to access the environment without valid credentials and determining the possible route of attacks. 

Method 2: External Pen Testing

Unlike internal pentest, external pen testing focuses on attacks initiated from outside the organization to test web applications hosted on the internet.

Testers, also called ethical hackers, do not have information about the internal system and the security layers implemented by the organization. They are simply given the IP address of the target system to simulate external attacks. No other information is given and it is up to the testers to search public web pages to get more information about the target host, infiltrate it, and compromise it. External pen testing includes testing the organization’s firewalls, servers, and IDS. 

How is Penetration Testing for Web Apps Done? 

Pen testing for web apps focuses on the environment and the setup process, instead of the app itself to do this. This involves gathering information about the target web app, mapping out the network that hosts it, and investigating the possible points of injection or tampering attacks. 

Here are the steps involved in penetration testing: 

Step 1: Active and Passive Reconnaissance

The first step in pen testing is the reconnaissance or information gathering phase. This step provides the tester with information that can be used to identify and exploit vulnerabilities in the web app. 

Passive reconnaissance means collecting information that is readily available on the internet, without directly engaging with the target system. This is mostly done using Google, beginning with subdomains, links, previous versions, etc.

Active reconnaissance, on the other hand, means directly probing the target system to get an output. Here are some examples of methodologies used for active reconnaissance:

  • Nmap Fingerprinting  – You can use the Nmap network scanner to get information about the web app’s scripting language, OS of the server, server software and version, open ports, and services currently running. 
  • Shodan Network Scanner – This tool can help you get additional information that is publicly available about the web app, including geolocation, server software used, port numbers opened, and more. 
  • DNS Forward And Reverse Lookup – This method allows you to associate the recently discovered subdomains with their respective IP addresses. You can also use Burp Suite to automate this process. 
  • DNS Zone Transfer – You can do this by using the nslookup command to find out the DNS servers being used. Another option would be to use DNS server identification websites then using the dig command to attempt the DNS zone transfer.
  • Identify Related External Sites – This part of the information gathering phase is important because of the traffic that flows between the external websites and the target website. Using the Burp Suite covers this step quite easily. 
  • Analyze HEAD and OPTION Requests – The responses generated from HEAD and OPTIONS HTTP requests show the web server software and its version, plus other more valuable data. You can use Burp Suite’s intercept on feature when visiting the target website to get this information. 
  • Data From Error Pages – Error pages provide more information than you’d expect. By modifying the URL of your target website and forcing a 404 Not Found error, you’ll be able to know the server and the version the website is running on.
  • Checking the Source Code – Examining the source code helps you find useful information you can use to pinpoint some vulnerabilities. It helps you determine the environment the app is running on and other relevant information. 
  • Documenting All Data – After getting all this information, it is important to organize and document your findings, which you can use later on as a baseline for further study or for finding vulnerabilities to exploit. 

Step 2: Attacks or Execution Phase

The next step is the actual exploitation step. In this phase, you implement the attacks based on the information you have gathered during the reconnaissance stage. 

There are several tools you can use for the attacks, and this is where the data gathering plays an important role. The information you collected will help you narrow down the tools that you need according to the research you have previously conducted. 

Let’s look at the top penetration tools used for web applications in the industry today: 

1. Nmap

Nmap or Network Mapper is more than a scanning and reconnaissance tool. It is used for both network discovery and security auditing purposes. Aside from providing basic information on the target website, it also includes a scripting module that can be used for vulnerability and backdoor detection, and execution of exploitations. 

2. Wireshark

Wireshark is one of the most popular network protocol analyzers right now, facilitating deep inspection of protocols, as well as live-traffic capture and offline analysis of a captured file. The data can be exported using XML, PostScript, CSV, or plain text format for documentation and further analysis. 

3. Metasploit

This pen testing tool is actually a framework, and not a specific application. You can use this to create custom tools for particular tasks. You can use Metasploit to:

  • Select and configure the exploit to be targeted
  • Select and configure the the payload to be used
  • Select and configure the encoding schema 
  • Execute the exploit

4. Nessus

This vulnerability scanner helps testers identify vulnerabilities, configuration problems, and even the presence of malware on web applications. This tool, however, is not designed for executing exploitations, but offers great help when doing reconnaissance. 

5. Burp Suite

We’ve mentioned Burp Suite a couple of times earlier, and this is because this tool is an all-in-one platform for testing the security of web applications. It has several tools that can be used for every phase of the testing process, including Intercepting proxy, Application-aware spider, Advanced web application scanner, Intruder tool, Repeater tool, and Sequencer tool. 

Step 3: Reporting And Recommendations

After the data gathering and exploitation processes, the next step is writing the web application pen testing report. Create a concise structure for your report and make sure that all findings are supported by data. Stick to what methods worked and describe the process in detail. 

Aside from writing down the successful exploits, you need to categorize them according to their degree of criticality, to help the developers focus in dealing with the more serious exploits first. 

Summing Up 

Web applications offer a lot of convenience and value to the end users, but it comes with a cost. Most systems are publicly exposed to the internet and the data is readily available to those who are willing to do a bit of research. Because of the growing usage and evolving technologies, web applications are prone to vulnerabilities, in both design and configuration, that hackers might find and exploit. Because of this, web applications should be a priority when it comes to penetration testing, especially if they handle sensitive information.

Relevant is a 7-years old software development vendor that has expertise in web applications and cloud cybersecurity. Contact us now to get a quote of penetration testing for your web app.

How to Choose a Software Development Company?
Download the ebook