4 Major Steps Of Web Application Penetration Testing

In the early days of the internet, security was little but an afterthought. Then as hackers started to exploit businesses' lax security postures, things gradually started to change. At first, nonprofits like the Electronic Frontier Foundation started pushing web users to embrace HTTPS Everywhere. In response, certification authorities began offering free SSL certificate variations to any site admin that wanted one. As a result, at least 79.6% of all active websites now use SSL.

That was only the beginning. In the ensuing years, developers and web application administrators gradually started to harden their apps against all manner of attacks. They rolled out more complex password requirements. They started to add two-factor authentication as a default measure. They even started putting public-facing services behind high-performance web application firewalls.

But despite all of the progress, vulnerabilities remain, and that means web app developers and admins have to understand how to penetration test their systems to see if any known exploits can penetrate their multi-layered defenses. To do that, they must understand the stages of the penetration testing process to avoid leaving any security stone unturned. Here are the four major steps involved in penetration testing for web applications.

Step 1: Observation and Reconnaissance

The first important step in the web application penetration testing process involves taking the same tack that an attacker would: learning all you can about the target. The first thing to do would be to harvest information about the targeted web app from public sites like Google. Using search modifiers, it's possible to gather a complete list of the subdomains and pages associated with the app. That provides a pretty decent map of the potential attack surface a hacker has to work with.

The next thing to do is to use a network scanner like Nmap to gather data specific to the web application itself. The idea is to figure out how much information about the software and server is visible to the outside world. Then, a complete scan using security testing software like Burp Suite should reveal everything from the server's software version to its application environment.

Step 2: Vulnerability Research and Attack

The next major step in the web application penetration testing process is to use the collected data to start narrowing down the list of vulnerabilities to try and exploit. In other words, if you've found that an attacker can tell that you're using a particular Apache and PHP version, for example, you should start looking for known vulnerabilities within those to try and exploit.

Fortunately, several great open-source penetration testing tools can automate some of the work. You can choose from among them depending on the type of vulnerabilities you're checking for. Popular options include:

• W3af
• Metasploit
• SQLMap
• Hydra

The idea is to try and find every potentially exploitable vulnerability, and to catalog what you find. If possible, it's a good idea to simulate attacks using the vulnerabilities to see how far a malicious actor could get by exploiting them.

Step 3: Catalog and Report

The next step in the process is to create a report that details everything found in the previous two steps. The idea is to create a central knowledge repository that the whole dev team can use as a roadmap to fixing the problems. This is where the data you've collected during your attack simulations will come in handy.

The report should categorize the vulnerabilities according to their severity. There are a variety of publicly-available sample penetration testing reports that you can use to develop a format that fits your needs. That way, it'll be easier to prioritize the work of closing all of the security holes. If you're dealing with an already-running application, this is an absolutely critical step. Remember, the vulnerabilities you've found may already be on a hacker's radar, so the faster you patch the serious vulnerabilities, the better.

Step 4: Patch and Repeat

The last step is to go through the penetration test report and start addressing the vulnerabilities it identified. In the case of an already-live app, it's best to begin by applying as many stop-gap measures as possible right away. These may include altering site access rules in your web application firewall or taking especially vulnerable portions of your app offline.

Then, proceed with deciding on the best possible fixes for the vulnerabilities in the report. Beginning with the most severe, simply check off each issue as it's fixed while taking careful note of what the fixes are and what other parts of the app they could impact. This will help you to know where to focus on your next round of testing, which you'll have to begin after completing the remediation work.

Creating a Hard Target

By repeating the process above until there are no vulnerabilities found, web app developers and admins can be reasonably assured that they're not a sitting duck that's waiting for an attack. Of course, this only addresses known vulnerabilities, so the process won't make an attack impossible — just improbable. In a cybersecurity landscape that changes from moment to moment, that's often the best anyone can hope for. Remember, it wasn't long ago that SSL and complex passwords were the end-all-be-all of web application security, so ongoing vigilance is always going to be the price of real security.