Monday, April 28, 2014

[infosecinstitute] Step by Step Guide to Application Security Penetration Testing

This document will guide you to penetrate web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.

The objective of this article is to help the Security Analyst/Penetration Testers/Developers/Ethical Hackers to follow a step by step penetration testing process, discover the vulnerability, and exploit and mitigate the same.

Web Application Penetration Testing

The penetration test emulates what a malicious attacker with bad intentions would harm while they are penetrating the application. This is a test of people, systems and processes that are in place to detect, prevent, and respond to these kinds of attacks.
A Web Application Penetration Test includes the vulnerabilities that are discovered using the information gathering process, with the exploitation (if applicable), and the level of access and success the penetration tester was able to achieve.
Below are the for steps penetration testing process:
  • Discover vulnerable systems using automated and manual vulnerability discovery.
  • Conduct real world attack simulation.
  • Mitigate threats and secure the platform.

Web Application Vulnerability Assessment

The Web Application Vulnerability Assessment does not include the exploitation phase. It contains the list of vulnerabilities, including the severity and the impact of the vulnerability on the application, along with the recommendations to resolve the same.

Web Application Audit

A Web Application Audit is a more in-depth view at the environment and processes, such as the backend server, database, secure code review, session management, authorization, and DMZ configuration.
It contains all the aspects of web application penetration testing and vulnerability assessment, including the below four phases.
  • Source Audit
  • Data Audit
  • Architecture Audit
  • Performance Audit
Please refer the above diagram for the classification of the four phases.

Steps to start with the Test

To start with the Web Application Audit, we need to follow the below steps:
  • Scoping of the Application
  • Checking for static and dynamic pages
  • Documenting number of logins and role of the users
  • Information Gathering
  • Threat Profiling
  • Make a list of all possible threats.
  • Comprehensive tests according to the created threat profile
  • Report
  • Report Creation
  • Internal Verification
  • Report Submission
The testing will be conducted in two phases.
  • Automated Test
  • Using Commercial tools available on the internet. i.e. Acunetix WVS, Netsparker.
  • Manual Test
  • Using manual testing tools like Burp Suite, OWASP ZAP Proxy
  • Burp Suite – Intruder, repeater, sequencer, spider used in the manual test.

Approach to the Web Application Penetration Test

  • Passive Approach
  • Understand the logic of the application
  • Information Gathering
  • Understand all the access points of the application
  • Active Approach
  • Configuration Management Testing.
  • SSL/TLS Testing
  • Testing for file extensions
  • Old, backup and unreferenced files
  • Testing for HTTP methods
  • Business Logic Testing
  • Testing for the business logic of the application
  • Testing for XSS
  • Testing for SQLi
  • Authentication Testing
  • Credentials transport over an encrypted channel- Check for SSL(https)
  • Testing for Guessable User Account
  • Brute Force Testing
  • Testing for bypassing authentication schema
  • Testing for vulnerable remember password and password reset
  • Testing for Logout and Browser Cache Management
  • Testing for CAPTCHA
  • Testing Multiple Factors Authentication
  • Authorization Testing
  • Authorization Testing
  • Testing for bypassing authorization schema
  • Testing for Privilege Escalation
  • Session Management Testing
  • Testing for Session Management Schema
  • Testing for Cookies attributes- http only, secure and time validity
  • Testing for Session Fixation
  • Testing for CSRF
The Scoping of the Application
Once the penetration tester has the URL/IP address of the application, he will start working on the scoping of the application. It generally includes the following things.
  • Gathering client requirements
  • Preparing a test plan
  • Profiling test boundaries
  • Defining Business objectives
  • Nature and behavior of the application
  • Describe each factor that builds a practical roadmap towards test execution
  • Test constraints
  • Types of testing
  • White Box
  • Provided with the complete knowledge of application/server and database along with the business logic of the application
  • Gray Box
  • Provided with the partial knowledge of the application/server
  • Privilege escalation may come under this
  • Black Box
  • Zero Knowledge Approach
  • An only thing that is provided to penetration tester is IP address/URL of the application
  • Need extra ordinary skills to exploit
  • Project management and scheduling
  • Limitations
  • Need of additional information
Check for the static and dynamic pages
Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Campfocuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance
  • Static page- Page created with HTML that remains the same all the time.
  • Dynamic page- It is a functional page that is generally connected with the database. For example, a login page.
Documenting number of logins and role of the users
Once the penetration tester has an idea about the scoping, static and dynamic pages, he will move on to analyze the number of logins and the types of users that can login to the particular application. If he is already provided with the list of usernames and passwords, it is a case of white box testing. If not, it will come under black box testing.
Information Gathering
In this phase, a penetration tester collects as much information as he can about the target.
Below is the check list for information gathering.
  • Spider, Robots and Crawlers
  • Search Engine Discovery
  • Testing Web Application Fingerprint
  • Application Discovery
  • Analysis of Error Codes
Real time example-
Let us assume I am working on a penetration testing project. My boss came to me and handed me a piece of paper saying that I have spoken to the CIO of the client and we have to start the penetration testing for the company Nous Infosystems. The legal department will be sending you all the documents and confirmation of the authorization. It’s a company you’ve never heard of before.
What now?
The information gathering starts from right here.
Threat Profiling
To ensure the comprehensive testing, it is a very good idea to start with a Threat Profile. A threat is simply the goal of your target. A Threat Profile is a comprehensive list of the threats that are relevant to that application.
These are expressed in terms of security threats.
List out all the possible threats that may harm the web application according to the business logic of the application.
A module-based threat profile should be created for the comprehensive penetration test.
For example:
  • Threat profile for public module
  • Threat profile for login module
  • Threat profile for password change module
  • Threat profile for logout module
  • Threat profile for business rule escalation module
Tests according to the threat profile
The threat profile is the key weapon of any attacker. Following the threat profile step by step can lead to discovery of very high and critical vulnerabilities.
Exploitation is the process of gaining control over a system.
End Goal: administrative-level access to the target.
During the penetration testing process, if a pen tester discovers a critical vulnerability that has an exploit or that can be exploited using our own scripts/code, he can use the Metasploit Framework to exploit the target or to develop his own exploit.
  • Scanning of the target.
  • Vulnerabilities found in the scanning phase.
Steps involved:
  • Check for the service/version running on the particular port.
  • Search the vulnerability in the service/version.
  • Exploit the target using tools like Metasploit..
Covering tracks and maintaining access:
Once exploitation has been done successfully, there are two ways to maintain the access.
  • Using Backdoors
  • Using Rootkits
  • For Example: Netcat, NetBus
Covering the Tracks
  • Destroying the evidence of presence and activities.
  • Log files contain the information of every activity that has been done on a computer, so it is very important to remove this log file. There are different ways to remove log files on Windows, Linux and MAC
    A penetration testing report should contain
    • An executive summary.
    • Detailed description of the vulnerabilities.
    • Raw output.
    Below is the elaborated process of writing a penetration testing process.
    • Executive Summary
    • Scope
    • Overall Assessment
    • Key Vulnerabilities Discovered
    • Graphical representation of OWASP top 10
    • Key Findings and Action Items
    • Observations
    • Recommended Action Plan
    • Interpretation of Ratings
    • Threat Profile
    • Tools used (Optional)
    • Result of test cases
    • Guidelines for Developers


A successful web application penetration test can be executed by following OWASP and OSSTM. Both are open source security testing methodologies. By reading this article you should have a great idea about how a web application penetrating test actually works. This article does not include the entire process of the WAPT, rather than it can be used as a reference document. For the most common and top vulnerabilities, refer to:
  • OWSAP TOP 10
  • SANS TOP 25
  • OSSTM (Open Source Security Testing Methodology)


1 comment:

  1. Great post. It was a good read and lots to know about fastest growing sectors. Having the Information Security Services in your enterprise or organization to identify and classify the security issues in IT systems. IARM is a single platform which can handle all your Cyber Security services and Conducting information security audits as well as vulnerability assessments that helps your businesses to analyze the status of the organization's security.
    Top Cyber Security Company In India
    Penetration Testing Company In Chennai
    Soc Services In India
    Cyber Attack Recovery Services In India
    Vapt Service Provider India