A web application pentest is an attempt to break into application systems (such as APIs or back-end servers) to identify vulnerabilities, in particular unsecured inputs that are susceptible to code injection attacks.
What is penetration testing (pentest)
Penetration testing is a simulated cyber attack on a computer system to test it for vulnerabilities. In the context of web application security, a pentest is commonly used to harden a web application firewall ( Web Application Firewall, WAF ).
The information obtained from the penetration test can be used to fine-tune WAF security policies and fix discovered vulnerabilities.
Penetration Testing Stages
The testing process can be divided into five stages.
1. Planning and exploration
Determining the scope, goals and methods of testing.
Collecting information (network and domain names, mail server) to better understand how the target works and its potential vulnerabilities.
2. Scanning
In this step, we define how the target application will react to various intrusion attempts. This is usually done with:
Static Analysis ( SAST ) - Examination of application code to evaluate its behavior at runtime. These tools can scan all code in one pass.
Dynamic Analysis ( DAST ) - checking the code in working order. This is a more practical way to scan because it allows you to monitor the performance of your application in real time.
3. Gaining access
This step uses web application attacks to expose vulnerabilities - cross-site scripting (XSS), SQL injection and backdoors . The pentester then attempts to exploit the vulnerabilities found, typically through privilege escalation, data theft, traffic interception, etc., to see how much damage it can cause to the target.
4. Maintain Access
The purpose of this step is to determine whether a vulnerability can be exploited to provide a persistent presence on a live system long enough for an attacker to gain full access. The idea is to mimic APT threats , which often stay on the system for months, in order to steal an organization's most sensitive data.
5. Analysis
The results of the penetration test are then combined into a report detailing:
Vulnerabilities that have been exploited;
Confidential data accessed;
The time during which the pentester could remain in the system unnoticed.
This information is analyzed by security personnel to help configure enterprise WAF settings and other application security solutions to fix vulnerabilities and protect against future attacks.
Penetration testing methods
External testing
External penetration tests target company assets that are available on the Internet, such as the web application itself, the company website, and mail and DNS servers. The goal is to access and extract valuable data.
Internal testing
During internal testing, a pentester who has access to an application behind a firewall simulates an attack by an attacker. A typical start-up scenario would be an employee whose credentials were stolen in a phishing attack.
Blind testing
In blind testing, the tester is only told the name of the target company. This allows security personnel to see in real time how the actual attack on the application will proceed.
Double blind testing
In a double-blind test, security experts have no prior knowledge of the simulated attack. Just like in the real world, they won't have time to harden their defenses before attempting a break-in.
Target Testing
In this scenario, both the tester and the security staff work together and keep each other informed of their actions. This is a valuable learning exercise that gives the security team real-time feedback from a hacker's perspective.
Penetration Testing and Web Application Firewalls
Penetration testing and WAF are exclusive but mutually beneficial security measures.
For many types of manual testing (with the exception of blind and double-blind tests), the tester will most likely use WAF logs to discover and exploit application vulnerabilities.
In turn, web application administrators will review the results of the penetration test and update the WAF configurations based on them to address the vulnerabilities found.
In addition, manual testing satisfies some of the requirements for compliance with security audit procedures - PCI DSS and SOC 2. And the requirements of the PCI-DSS 6.6 standard can only be met when using a certified WAF. But that doesn't make testing any less useful because of its benefits and ability to improve WAF configurations.