This document will guide you to penetrate web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.
The objective of this article is to help the Security Analyst/Penetration Testers/Developers/Ethical Hackers to follow a step by step penetration testing process, discover the vulnerability, and exploit and mitigate the same.
Web Application Penetration Testing
The penetration test emulates what a malicious attacker with bad intentions would harm while they are penetrating the application. This is a test of people, systems and processes that are in place to detect, prevent, and respond to these kinds of attacks.
A Web Application Penetration Test includes the vulnerabilities that are discovered using the information gathering process, with the exploitation (if applicable), and the level of access and success the penetration tester was able to achieve.
Below are the for steps penetration testing process:
Discover vulnerable systems using automated and manual vulnerability discovery.
Conduct real world attack simulation.
Mitigate threats and secure the platform.
Web Application Vulnerability Assessment
The Web Application Vulnerability Assessment does not include the exploitation phase. It contains the list of vulnerabilities, including the severity and the impact of the vulnerability on the application, along with the recommendations to resolve the same.
Web Application Audit
A Web Application Audit is a more in-depth view at the environment and processes, such as the backend server, database, secure code review, session management, authorization, and DMZ configuration.
It contains all the aspects of web application penetration testing and vulnerability assessment, including the below four phases.
Please refer the above diagram for the classification of the four phases.
Steps to start with the Test
To start with the Web Application Audit, we need to follow the below steps:
Scoping of the Application
Checking for static and dynamic pages
Documenting number of logins and role of the users
Make a list of all possible threats.
Comprehensive tests according to the created threat profile
The testing will be conducted in two phases.
Using Commercial tools available on the internet. i.e. Acunetix WVS, Netsparker.
Using manual testing tools like Burp Suite, OWASP ZAP Proxy
Burp Suite – Intruder, repeater, sequencer, spider used in the manual test.
Approach to the Web Application Penetration Test
Understand the logic of the application
Understand all the access points of the application
Configuration Management Testing.
Testing for file extensions
Old, backup and unreferenced files
Testing for HTTP methods
Business Logic Testing
Testing for the business logic of the application
Testing for XSS
Testing for SQLi
Credentials transport over an encrypted channel- Check for SSL(https)
Testing for Guessable User Account
Brute Force Testing
Testing for bypassing authentication schema
Testing for vulnerable remember password and password reset
Testing for Logout and Browser Cache Management
Testing for CAPTCHA
Testing Multiple Factors Authentication
Testing for bypassing authorization schema
Testing for Privilege Escalation
Session Management Testing
Testing for Session Management Schema
Testing for Cookies attributes- http only, secure and time validity
Testing for Session Fixation
Testing for CSRF
The Scoping of the Application
Once the penetration tester has the URL/IP address of the application, he will start working on the scoping of the application. It generally includes the following things.
Gathering client requirements
Preparing a test plan
Profiling test boundaries
Defining Business objectives
Nature and behavior of the application
Describe each factor that builds a practical roadmap towards test execution
Types of testing
Provided with the complete knowledge of application/server and database along with the business logic of the application
Provided with the partial knowledge of the application/server
Privilege escalation may come under this
Zero Knowledge Approach
An only thing that is provided to penetration tester is IP address/URL of the application
Need extra ordinary skills to exploit
Project management and scheduling
Need of additional information
Check for the static and dynamic pages
Static page- Page created with HTML that remains the same all the time.
Dynamic page- It is a functional page that is generally connected with the database. For example, a login page.
Documenting number of logins and role of the users
Once the penetration tester has an idea about the scoping, static and dynamic pages, he will move on to analyze the number of logins and the types of users that can login to the particular application. If he is already provided with the list of usernames and passwords, it is a case of white box testing. If not, it will come under black box testing.
In this phase, a penetration tester collects as much information as he can about the target.
Below is the check list for information gathering.
Spider, Robots and Crawlers
Search Engine Discovery
Testing Web Application Fingerprint
Analysis of Error Codes
Real time example-
Let us assume I am working on a penetration testing project. My boss came to me and handed me a piece of paper saying that I have spoken to the CIO of the client and we have to start the penetration testing for the company Nous Infosystems. The legal department will be sending you all the documents and confirmation of the authorization. It’s a company you’ve never heard of before.
The information gathering starts from right here.
To ensure the comprehensive testing, it is a very good idea to start with a Threat Profile. A threat is simply the goal of your target. A Threat Profile is a comprehensive list of the threats that are relevant to that application.
These are expressed in terms of security threats.
List out all the possible threats that may harm the web application according to the business logic of the application.
A module-based threat profile should be created for the comprehensive penetration test.
Threat profile for public module
Threat profile for login module
Threat profile for password change module
Threat profile for logout module
Threat profile for business rule escalation module
Tests according to the threat profile
The threat profile is the key weapon of any attacker. Following the threat profile step by step can lead to discovery of very high and critical vulnerabilities.
Exploitation is the process of gaining control over a system.
End Goal: administrative-level access to the target.
During the penetration testing process, if a pen tester discovers a critical vulnerability that has an exploit or that can be exploited using our own scripts/code, he can use the Metasploit Framework to exploit the target or to develop his own exploit.
Scanning of the target.
Vulnerabilities found in the scanning phase.
Check for the service/version running on the particular port.
Search the vulnerability in the service/version.
Exploit the target using tools like Metasploit..
Covering tracks and maintaining access:
Once exploitation has been done successfully, there are two ways to maintain the access.
For Example: Netcat, NetBus
Covering the Tracks
Destroying the evidence of presence and activities.
Log files contain the information of every activity that has been done on a computer, so it is very important to remove this log file. There are different ways to remove log files on Windows, Linux and MAC
A penetration testing report should contain
Below is the elaborated process of writing a penetration testing process.
Key Vulnerabilities Discovered
Graphical representation of OWASP top 10
Key Findings and Action Items
Recommended Action Plan
Interpretation of Ratings
Tools used (Optional)
Result of test cases
Guidelines for Developers
An executive summary.
Detailed description of the vulnerabilities.
A successful web application penetration test can be executed by following OWASP and OSSTM. Both are open source security testing methodologies. By reading this article you should have a great idea about how a web application penetrating test actually works. This article does not include the entire process of the WAPT, rather than it can be used as a reference document. For the most common and top vulnerabilities, refer to:
OWSAP TOP 10
SANS TOP 25
OSSTM (Open Source Security Testing Methodology)
By Abhishek Dashora|April 24th, 2014