Overview
The primary objective for a web application penetration testing is to identify exploitable vulnerabilities in web based applications before hackers discover and exploit them. Web application penetration testing will help to reveal real-world opportunities for hackers to compromise applications in such a way that allows for unauthorised access to sensitive data or even take-over systems for malicious/non-business purposes.
This type of assessment carried out by our ethical hackers aids to:
- Identify application security flaws present in the environment
- Understand the level of risk for your organisation
- Address and fix identified application flaws
As a result of our web application penetration testing, you’ll be able to view your applications through the eyes of a hacker, to discover where you can improve your security posture. Our security consultants produce findings in written reports and provide your team with the guidance necessary to effectively remediate any issues we uncover.
Approach
InfoSec Governance’s web application penetration testing service utilises a comprehensive, risk-based approach to manually identify critical application-centric vulnerabilities that exist on all in-scope applications.
1. Information Gathering
2. Threat Modelling
3. Vulnerability Analysis
4. Exploitation
5. Post-Exploitation
6. Reporting
Using this industry-standard approach, InfoSec Governance’s comprehensive method covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2017 including, but not limited to: Injection, Cross-Site Scripting, Cross-Site Request Forgery, Unvalidated Redirects & Forwards, Broken Authentication & Session Management, Security Misconfiguration, Insecure Direct Object Access and more…
Manual Testing vs Automated Testing
InfoSec Governance’s approach consists of about 80% manual testing and about 20% automated testing – actual results may vary slightly. While automated testing enables efficiency, it is effective in providing efficiency only during the initial phases of a penetration test. At InfoSec Governance, it is our belief that an effective and comprehensive penetration test can only be realised through rigorous manual testing techniques.
Tools
In order to perform a comprehensive real-world assessment, InfoSec Governance utilises commercial and open source tools, the same tools that hackers use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.
Reporting
We consider the reporting phase to mark the beginning of our relationship. InfoSec Governance strives to provide the best possible customer experience and service.
Remediation & Re-testing
Simply put, our objective is to help fix vulnerabilities, not just find them. As a result, remediation re-testing is always provided at no additional cost.
Methodology
Every web application penetration test is conducted consistently using industry standard frameworks, to ensure a sound and comprehensive penetration test. At a minimum, the underlying framework is based on the Open Web Application Security Project (OWASP), but goes beyond the initial framework itself.
Reconnaissance
The first phase in a web application penetration test is focused on collecting as much information as possible about a target application. Reconnaissance, one of the most critical steps of a web based application test, is done through the use of public tools such as search engines, sending simple HTTP requests, or specially crafted requests. As a result, it can be possible to force the application to leak information, e.g., disclosing error messages or revealing the versions and technologies used.
Configuration Management
Being able to understand the configuration of the infrastructure for the web application is nearly as critical as the application security testing itself. After all, an application is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server (insecure HTTP methods, old/backup files).
Authentication Testing
Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example is the log on process. Testing the authentication schema means understanding how the process works and using that information to circumvent the mechanism.
Session Management
Session Management is defined as the set of all controls governing the stateful interaction between a user and the web application he/she is interacting with. In general, this covers anything from how user authentication is carried out, to what happens when they log out.
Authorisation Testing
Authorisation Testing involves understanding how the authorisation process works and using that information to circumvent the authorisation mechanism. Authorisation is a process that comes after a successful authentication, so the pen tester will verify this point after he/she holds valid credentials, associated with a well-defined set of roles and privileges. As a result, it should be verified if it is possible to bypass the authorisation schema, find a path traversal vulnerability, or find ways to escalate the privileges.
Data Input Validation
The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
Web / API Services
Web services have certain elements of exposure just like any other protocol or service. What’s different is that they can be used on HTTP, FTP, SMTP or MQ among other transport protocols. As a result, vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities.
Deliverables
Here at InfoSec Governance, we consider the delivery and reporting phase of the test to be the most important piece and we take great care to ensure we’ve communicated the value of our service and findings thoroughly. The deliverables consists of a report that includes several key components including, but not limited to: Executive Summary, Scope, Findings, Evidence, Tools and Methodology.
Findings are communicated via email, however they can be presented in-person or virtually via Skype or Google Hangouts – whichever medium is most conducive for communicating results effectively. During this time, InfoSec Governance consultants will walk through the report, in detail, to ensure all findings and their corresponding description, risk rating, impact, likelihood, evidence and remediation steps are thoroughly understood.
While this typically involves a single meeting, there is no limitation to that number. The key underlying message is that all information is clearly understood and that a roadmap toward remediation / mitigation is crystal clear.
Components
Some of the key components to our physical penetration test deliverable include, but are not limited to:
- Scope
- Control Framework (ie: OWASP, PCI, PTES, OSSTMM)
- Timeline
- Executive Summary Narrative
- Technical Summary Narrative
- Report Summary Graphs
- Summary of Findings
- Findings (Description, Business Impact, Recommendation, Evidence, References, CVSS, Risk Rating Calculation)
- Methodology and Approach
- Risk Rating Factors
- Tools
