Every web application penetration test is conducted consistently using industry standard frameworks, to ensure a sound and comprehensive penetration test. At a minimum, the underlying framework is based on the Open Web Application Security Project (OWASP), but goes beyond the initial framework itself.
The first phase in a web application penetration test is focused on collecting as much information as possible about a target application. Reconnaissance, one of the most critical steps of a web based application test, is done through the use of public tools such as search engines, sending simple HTTP requests, or specially crafted requests. As a result, it can be possible to force the application to leak information, e.g., disclosing error messages or revealing the versions and technologies used.
Being able to understand the configuration of the infrastructure for the web application is nearly as critical as the application security testing itself. After all, an application is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server (insecure HTTP methods, old/backup files).
Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example is the log on process. Testing the authentication schema means understanding how the process works and using that information to circumvent the mechanism.
Session Management is defined as the set of all controls governing the stateful interaction between a user and the web application he/she is interacting with. In general, this covers anything from how user authentication is carried out, to what happens when they log out.
Authorisation Testing involves understanding how the authorisation process works and using that information to circumvent the authorisation mechanism. Authorisation is a process that comes after a successful authentication, so the pen tester will verify this point after he/she holds valid credentials, associated with a well-defined set of roles and privileges. As a result, it should be verified if it is possible to bypass the authorisation schema, find a path traversal vulnerability, or find ways to escalate the privileges.
Data Input Validation
The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
Web / API Services
Web services have certain elements of exposure just like any other protocol or service. What’s different is that they can be used on HTTP, FTP, SMTP or MQ among other transport protocols. As a result, vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser related vulnerabilities.