Web Application Penetration Testing is About Protecting Sensitive Data
Web Application Penetration Testing ultimately aims to determine whether malicious attackers potentially could compromise the security of your system. It is protecting sensitive date. Often you select one or very few to test. as opposed to Infrastructure Penetration Testing.
The goal is to remove vulnerabilities, so key applications are better protected and operation of your companies key business processes is higher.
Generic Process with a Web Application Twist
At Seculyze, we use the generic Penetration Testing Process as depicted in the overall pentesting offering. Two main phases are further split into sub-phases to describe the special nature of Web Application Penetration Testing.
- Phase 2: Discover is divided into the subphases 2a: Map and 2b: Discover
- Phase 3: Attack is divided into the subphases 3a: Access and 3b: Exploit
Web Application
Process
Four generic phases based on generic process based on NIST 800-115 of which two are divided into sub-phases in the We Application Penetration Testing process
Plan
It is determined what parts of the application is to be tested. Some application might use a high number of API endpoints where a small amount might be critical. The test is scoped, and success criteria established
Map endpoints and routes
We map your endpoints and route by automated as well as manual approaches. The purpose is to understand the API endpoints, find their vulnerabilities and find dependencies between the different parts of the web application
Discover security risks
The applications configuration errors and flaws are assessed to find the most probable application attack vectors. This is based on the top 10 security risks documented by OWASP however other pertinent vectors might be found during the assessment.
Access endpoints
We challenge the security of your code by testing functions. It includes testing of the different functions of the API or web application, which involve analysis of authentications and session data
Penetrate Web Application
Each vulnerability is exploited, making it possible to obtain either privileged access, secure data or server control
Report
The reporting phase will contain a list of vulnerabilities found while the penetration test was performed. It is listed by criticality of the vulnerability
OWASP and Web Application Penetration Testing
A key framework that Seculyze uses in web penetration testing is the OWASP top 10. Seculyze will always use the top 10 most common risks as a basis for the web application penetration testing, and together with you define any additional required risks that should be tested for.
The OWASP top 10 risks for 2021 are listed here. Seculyze uses it in several phases of Web Application Penetration Testing. You can find an updated list of the newest, top 10 most common vulnerabilities on OWASPs webpage.
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
Want to know more about Infrastructure Penetration Testing?
