Web Application Penetration Testing: Steps, Methods, & Tools
There are many different methods for performing a penetration test, which evaluates the security posture of a company, but in this article, we are going to focus on web applications.
Web application penetration testing is comprised of four main steps including information gathering, research and exploitation, reporting and recommendations, and remediation with ongoing support. These tests are performed primarily to maintain secure software code development throughout its lifecycle. Coding mistakes, specific requirements, or lack of knowledge of cyber attack vectors are the main purpose of performing this type of penetration test.
In this article, you’ll learn the steps on how to perform security testing on a web application and popular tools used during a web application penetration test with real-life examples.
Article Navigation
What Is Web Application Penetration Testing?
Web application penetration testing involves a methodological series of steps aimed at gathering information about the target system, finding vulnerabilities or faults in them, researching for exploits that will succeed against those faults or vulnerabilities and compromise the web application.
The Open Web Application Security project (OWASP) is a community that focuses its efforts solely on discovering and reporting on web application security vulnerabilities.
Their reputable list of top 10 security flaws is updated every year to reflect the global trends in the security of web applications. OWASP also publishes articles and security tools that are most practiced.
Why Web Application Pen Tests Are Performed
Due to the enormous expansion of web applications, more and more internet resources are being spent on developing the software as well as configuring the applications to work properly on this new landscape.
This newfound frontier has however opened up another vector of attack that malicious hackers can use for their personal gains.
Considering that some web applications hold sensitive data, it is important to keep them secure at all times, especially since a lot of them are publicly exposed to the internet.
Performing the web app penetration testing as part of your Software Development Life Cycle or SDLC process would be the best and most cost-effective strategy in fighting off web application vulnerabilities.
Software Development Lifecycle (SDLC)
The software development lifecycle (SDLC) is a general set of guidelines aimed at increasing the success of a software that is being developed for future use.
SDLC defines a set of steps to take in order to come up with a better product that is more convenient for the end-user and also takes into account the most cost-effective way of doing so.
Software testing is a big part of the SDLC process and involves several key parameters or events.
Through various stages of the development process, from brainstorming to coding, an opportunity is provided to engineers and project managers to come up with the most effective way of satisfying their client needs by producing the best application with the least amount of mistakes behind it.
Programming Mistakes
Defects are usual ommitions that programmers make. Faults are different from defects in the way that their presence could allow a malicious attacker to exploit the application and create a dangerous condition or scenario whereby personal information can be compromised or access to systems by unauthorized users could be granted.
Requirements
Technical debt, which is time developers spend going back to developed code to fix errors or implement updates, may accrue especially when security is an afterthought. This happens when code is expedited before it is thoroughly tested and rushed into production.
Therefore, testing for defects is usually less expensive in the early stages of the SDLC process compared to defect testing late in the SDLC process.
Patching the software will occur during the SDLC process if faults or vulnerabilities are found to be present in the web application configuration.
What Steps And Methodologies Are Used To Perform A Web App Pen Test?
To emphasize the difference between an application and a web application, penetration testing the web application mainly focuses on the environment and the setup of the web app.
In other words, testing the web application focuses on gathering public information about the web app and then continuing to map out the network involved in hosting the web app. Investigating for possible injection tampering attacks and the actual learning and handling of the application comes later.
Step 1: Information Gathering
Information gathering, or the reconnaissance phase, is the most important step in any penetration testing process as it provides you with a wealth of information to identify vulnerabilities easily and exploit them later.
Think of this phase as a foundation to a pyramid you are trying to build.
There are two types of reconnaissance depending on the type of interaction you want to achieve with the target system:
Passive Reconnaissance
Gathering information that is already available on the internet and doing so without directly interacting with the target system is called passive reconnaissance.
Most research in this phase is done online using various websites, beginning with Google. The first step often involves using Google syntax, enumerating website subdomains, links and much more.
For example, if subdomains of a certain website are of interest, you can use the following syntax to narrow down the Google search results: “site:*.domain.com”.
领英推荐
You can use Wayback Machine to view how a certain website looked a while back ago, this website can help you interact with the target of the web application without directly coming into contact with it.
You can probe the old version of the website and note down any characteristics that might help you later in the research and exploitation phase.
Active Reconnaissance
In contrast to passive reconnaissance, active reconnaissance directly probes the target system and retrieves an output.
Examples of active reconnaissance include fingerprinting the web application, using the Shodan network scanner, performing a DNS forward and reverse lookup, a DNZ zone transfer, and more.
Fingerprinting The Web Application Using Nmap
Fingerprinting a web application involves gathering information about the web app such as the scripting language used, server software and version, along with the OS of the server. Much of this can be done using the Nmap network scanner.
Run the Nmap against the target IP or the target IP range and note down all open ports and services that are running, along with the above-mentioned information regarding the OS version.
Shodan Network Scanner
Using the Shodan network scanner, you can identify additional information regarding the hosted web app if publicly available to the internet.
Shodan provides vast information regarding any publicly available IP that it scans. Information range from geolocation, port numbers opened, server software used and a few other useful details.
DNS Forward And Reverse Lookup
In order to associate the newly discovered subdomains with their respective IP addresses, you can use forward dns lookup, ping, and even use more advanced tools such as Burp Suite.
DNS Zone Transfer
To perform DNS zone transfer, use “nslookup” command to identify the DNS servers. Other options are websites specifically made for DNS server identification. After identifying all the DNS servers, use the “dig” command and attempt the DNS zone transfer.
Identifying Related External Sites
This is an important step in the information gathering stage as there is usually traffic flowing between external sites and the target site. This is done easiest with Burp Suite, which we will cover in more detail later.
Inspect HEAD and OPTIONS HTTP requests
Responses from HEAD and OPTION requests will most definitely reveal the web server software and version. Sometimes the responses contain even more valuable data.
You can easily intercept this information by visiting the target website while having Burp Suite’s “intercept on” feature turned on.?
Gather information about the web app through error pages
Error pages can provide a lot of useful feedback regarding the version and type of server the website is ran on. Based on this information you can start visualizing the environment of the web application.
Simply modify the URL of the desired website and try to cause the 404 not found error. In the case below, a website forum not found page reveals the server and its version (ngnix/1.12.2).
Examining the source code
Source code can also provide a lot of useful information that you can later use to find a vulnerability.
By examining the webpage code carefully, you will be able to determine the application environment and the overall workings of the application.
In the screenshot below, we can see that the website is running on Apache server, version 2.2.14.
Documenting during the Reconnaissance Phase
It is vital to document everything in an organized manner during your investigation gathering phase.
This will give you a baseline from which you will continue to further study the target and hopefully find vulnerabilities in the system to later exploit.
Next, we will introduce some of the most popular tools used for application penetration testing and demonstrate some techniques regarding security scanning, sql injections, passwords brute force cracking and other important penetration testing techniques you can use.
We help enterprises with 360 cybersecurity services.
Follow PurpleSec for more vulnerability management and penetration testing content.