Guide to Web Application Penetration Testing

Web application penetration testing, also known as a pen test, is a very important step, which helps to ensure the security of an app. As the name says, app penetration testing is simulating a hacker attack in order to espy various vulnerabilities and fix them. As a result, various ill-wishers could not abuse security imperfections. So, what is it and how is app pen testing is being done?

Penetration Testing

It is a part of the quality assurance process. To be more precise, it is a type of ​​simulated cyber-attacks, performed during the web application development process. To be precise, it is usually one of the final tests. Yet, this testing is also a regular operation in any project, which is included in security policies. Pen testing can be performed by regular testers with the use of special tools. However, there are some professionals, who are known as ethical hackers. They have only one general responsibility - to perform hacker attacks and help the developers of the attacked project cover all accessible application vulnerabilities.

Types of Pen Tests

Actually, when we talk about the possible approaches to penetration testing, we should realize that there are at least a few of them.

Blind Testing

The first and probably the most difficult is to perform this testing blindly, i.e. testers won’t have any access to the information or documentation, but only be provided with the IP address of the target. Also, no changes in the web application settings should be made. As a result, it is the closest to real situation simulation, when a possible intruder has no extra data, which can be used to hack the app. Nevertheless, this approach is also the riskiest, because no one can guarantee that testers will get any positive results.

Informated Testing

Thus, as an alternative, developers can create more comfortable circumstances for the penetration testers, providing them with related documentation, and showing them the tech stack, security protocols, or any other requested data. In fact, this access to technical information will definitely improve the chances of hackers penetrating the system because they will be able to find the vulnerabilities in used software. Probably, it is the most common testing approach: it increases the chances to spot security vulnerabilities and still is able to simulate the real hacker’s environment.

Oversimplified Testing

Also, to make it even easier, developers can disable some security protocols and passively observe the hacking process. Usually, this type of penetration testing is used to check some assumptions or unobstructed testing of specific aspects and parts of an app in order to examine their security limits. In other words, oversimplified testing is rather an additional solution for spot-checking, or any other unusual and very specific testing, than a full-fledged penetration testing approach. As a matter of fact, this oversimplified nature can be unpredictable and can’t show general hacking possibilities because it is too far from the real circumstances.

Nonetheless, the foregoing list is not final. Moreover, modern web application penetration testing is also divided into two completely different categories: internal vs external testing.

Internal Testing

Clearly, it is performed within the organization itself, via its internal network, with the use of stolen credentials, etc. To make it simple, the main idea of internal testing is to check what can hackers do if they will manage to obtain access to the application, pretending to be a member of the organization.

External Testing

On the contrary, external penetration testing means that hacked will not get any additional access and are forced to perform an external attack on the web resource. In this case, they can use countless methods like DDoS, fishing, viruses, etc. What is important to understand is that there is no more or less easy or important type. Both internal and external tests are aimed to check all possible options for abusing security imperfections.

Standard Penetration Testing Guide

Planning Stage

You need to be prepared for any process. Standard penetration testing is not an exception. Thus, the first step is to gather app possible information. This will give us an opportunity to plan further actions, and set more precise requirements and checklists.

There are at least two types of preparation and information gathering: active and passive.

In simple words, active data crawling is a precise targeting of the system, we are aiming to hack. We have to identify the basic network of the system and find its connections and related dependencies. It is possible to achieve this with the use of various software tools like network scanners.

On the other hand, it seems that passive intelligence has the same purpose - to get the info about the target application. Yet, contrary to the active gathering, the passive one is performed without using additional tools or software. In fact, it is a simple googling and looking for open-source information. First of all, it allows for avoiding unneeded attention to the hacker and is impossible to notice by the security team. In addition, it helps to figure out whether the vulnerable data can be reached online. As a result, during such tests, application developers can find and fix crucial security-related facts from the public.

Also, before penetration testing, it is important to set a contract or agreement between the owner of an app and the tester. This will help both sides to define the overall plan, used instruments and methods, optionally targeted cyber vulnerabilities, etc. The tester, on the other hand, will be protected from possible legal issues or complaints from the customer.

Penetration Testing Process

After considering and coordinating between the hacker and the customer, when both sides chose the testing approach, instruments, attack vectors, and methods of testing, testers are able to start the penetration itself. In fact, no matter what are the conditions, the testing process is performed similarly. The only difference lies in the used tools and some specific parts. However, internal penetration usually becomes routine. In this case, security specialists provide various pieces of training and tests, showing some preventive methods on how to avoid unneeded risks like opening unknown links sent via corporate mail, etc.

Honestly, there are countless possible ways to attack any application. From primitive fishing, or picking up credentials of employees to complex DDoS processes, injection attacks, or abuse of incorrect settings of the targeted system. This is why it is a regular and recommended practice to define the specifics of the attack at the very beginning.

Of course, you can start with unlimited penetration. Yet, will you be able to cope with any security weaknesses and report each of them? Most probably, in this case, one of the attack methods will overload the app. As a result, all the following methods won’t show any results. This is why, we encourage you to think globally, but act locally. In other words, we all understand, the main purpose of penetration testing is to secure your product. Still, it is better to perform such security improvements step-by-step, checking a single testing approach at a time.

Writing and Analyzing the Report

What is undoubtedly crucial in any case is to make detailed penetration test reports, where testers explain their penetration plan, its progress, the step they made, and the results they got. It helps to examine the vulnerabilities of the mobile application in detail, recreate it, and figure out how to secure possible security breaches. Also, reports allow us to compare actual exposures with various lists like the Top 10 OWASP vulnerabilities list. Thus, developers will better understand the nature of susceptibilities and how to fix them. Actually, knowing organizations like CVE, NVD, or OWASP, as well as their content, helps to prevent some security weaknesses already during the web application development.

Clearly, it is possible to find out whether the attack was successful or not without working with reports. Nevertheless, this info will probably give you no useful data. To sum up, a report is something, that we are performing pen testing for, so don’t underestimate its role and importance.

Useful Application Pen Testing Tools

As we mentioned before, the working process itself is very similar in each testing case, the main difference is the penetration testing services and tools. This is why we would like to provide you with a small list of tools for various purposes in order to better illustrate the disparity between them.

Pentest tools is a free open-source toolset. All tools are preset and ready to use right after registration on the platform. It purposes a wide range of instruments and can help to perform fast and very easy pen tests. It is hard to advise it as an everyday professional instrument, yet it can be a great one-time solution or be used as a simple trainer for the testing team.

Zed Attack Proxy, or simply OWASP ZAP is another example of a free tool, created specifically for penetration testing. Contrary to the previous toolset, ZAP is a product, designed and developed by the OWASP team, which is one of the most well-known organizations, related to virtual security. This toolset helps to maintain various testing processes, by automating them. Additionally, the service proposes a marketplace, where users can get extra add-ons. As a result, OWASP ZAP can be adjusted to almost any type of security testing, including penetration tests. It can be compared with a specified testing management system.

SonarQube is security software, that is able to provide its customers with various metrics, conclusions of the overall situation, and recommendations on how to deal with detected cyber threats.

Snyk can be used as a vulnerability scanner. Also, it can be used to abuse various security threats as well. However, it is a much better idea to use it for scanning and looking for dependencies.

Summary

Penetration testing is highly reliable on the additional software and can vary, depending on the chosen approach and its aims. Yet, the manual approach and understanding of various working principles are as essential. Primitive pen testing can be performed with the use of simple and free software and add-ons, that can perform everything automatically. Nonetheless, if your team is inexperienced, it won’t know how to deal with the occurred weaknesses.

Clearly, it is important to have at least one security professional on duty. In case you are budget-limited, you can hire an experienced spec and provide him with the requested tools, then maintain a big team of amateurs. Still, in any case, you will need to cooperate with ethical hacker freelancers from time to time. They can help to define unobvious cyber vulnerabilities and share their disengaged opinion. Also, it is recommended to analyze others' experiences from time to time. Finally, some outsourcing companies propose QA and testing services as a part of their contract. In other words, you may consider cooperating with more experienced specialists, who can help you with web application development and polishing of your product.