A pen(penetration) test allows us to determine any security weakness of the entire web application and across its components, including the source code, database, and back-end. This helps the developer in prioritizing the pinpointed web app vulnerabilities and threats, and come up with strategies to mitigate them.
WHY CARE?
Almost everything that we do is done through the internet. From shopping to banking to everyday transactions, most of them can be done digitally. And there are several web applications that can be used to complete these online activities.
The popularity of web applications has also introduced another vector of attack that malicious third parties can exploit for their personal gains. Since web applications usually store or send out sensitive data, it is crucial to keep these apps secure at all time, particularly those that are publicly exposed to the World Wide Web.
In a nutshell, web penetration testing is a preventive control measure that lets you analyze the overall status of the existing security layer of a system.
These are the common goals of doing pen testing for web apps:
-Identify unknown vulnerabilities
-Check the effectiveness of the existing security policies
-Test publicly exposed components, including firewalls, -routers, and DNS
-Determine the most vulnerable route for an attack
-Look for loopholes that could lead to the data theft
Types of Penetration Testing for Web Applications
Method 1: Internal Pen Testing
As the name implies, the internal penetration testing is performed within the organization via LAN, including testing web applications that are hosted on the intranet.
This facilitates the identification of any vulnerabilities that may exist within the corporate firewall. One of the greatest misconceptions is that attacks can only occur externally so developers often overlook or do not give much importance to internal Pentesting.
Some of the internal attacks that can happen include:
-Malicious Employee Attacks by aggrieved employees, contractors, or other parties who have resigned but still have access to the internal security policies and passwords
-Social Engineering Attacks
-Simulation of Phishing Attacks
-Attacks using User Privileges
Method 2: External Pen Testing
External pen testing focuses on attacks initiated from outside the organization to test web applications hosted on the internet.
Testers, also called ethical hackers, do not have information about the internal system and the security layers implemented by the organization. They are simply given the IP address of the target system to simulate external attacks. No other information is given and it is up to the testers to search public web pages to get more information about the target host, infiltrate it, and compromise it. External pen testing includes testing the organization’s firewalls, servers, and IDS etc.
HOW TF IS IT DONE?!
Pen testing for web apps focuses on the environment and the setup process, instead of the app itself to do this. This involves gathering information about the target web app, mapping out the network that hosts it, and investigating the possible points of injection or tampering attacks.
It can be done in three steps
Step 1: Active and Passive Reconnaissance
The first step in web app pen testing is the reconnaissance or information gathering phase. This step provides the tester with information that can be used to identify and exploit vulnerabilities in the web app.
Passive reconnaissance means collecting information that is readily available on the internet, without directly engaging with the target system. This is mostly done using Google, beginning with subdomains, links, previous versions, etc.
Active reconnaissance, on the other hand, means directly probing the target system to get an output. Here are some examples of methodologies used for active reconnaissance:
-Nmap Fingerprinting – You can use the Nmap network scanner to get information about the web app’s scripting language, OS of the server, server software and version, open ports, and services currently running.
-Shodan Network Scanner – This tool can help you get additional information that is publicly available about the web app, including geolocation, server software used, port numbers opened, and more.
-DNS Forward And Reverse Lookup – This method allows you to associate the recently discovered subdomains with their respective IP addresses. You can also use Burp Suite to automate this process.
-DNS Zone Transfer – You can do this by using the nslookup command to find out the DNS servers being used. Another option would be to use DNS server identification websites then using the dig command to attempt the DNS zone transfer.
-Identify Related External Sites – This part of the information gathering phase is important because of the traffic that flows between the external websites and the target website. Using the Burp Suite covers this step quite easily.
-Analyze HEAD and OPTION Requests – The responses generated from HEAD and OPTIONS HTTP requests show the web server software and its version, plus other more valuable data. You can use Burp Suite’s intercept on feature when visiting the target website to get this information.
-Data From Error Pages – Error pages provide more information than you’d expect. By modifying the URL of your target website and forcing a 404 Not Found error, you’ll be able to know the server and the version the website is running on.
-Checking the Source Code – Examining the source code helps you find useful information you can use to pinpoint some vulnerabilities. It helps you determine the environment the app is running on and other relevant information.
-Documenting All Data – After getting all this information, it is important to organize and document your findings, which you can use later on as a baseline for further study or for finding vulnerabilities to exploit.
Step 2: Attacks or Execution Phase
The next step is the actual exploitation step. In this phase, you implement the attacks based on the information you have gathered during the reconnaissance stage.
There are several tools you can use to attack the designated applicatio.
Let’s look at the top penetration tools used for web applications in the industry today:
1. Nmap:
Nmap or Network Mapper is a scanning and reconnaissance tool. It is used for both network discovery and security auditing. Aside from providing basic information on the target website, it also includes a scripting module that can be used for detecting vulnerability and backdoor, and execution of exploitations.
2.WireShark:
Wireshark is one of the most popular network protocol analyzers right now, facilitating deep inspection of protocols, as well as live-traffic capture and offline analysis of a captured file.The data can also be exported analyzing.
3. Metasploit:
This the s.e. tool.This pen testing tool is actually a framework, and not a specific application. You can use this to create custom tools for particular tasks.
4. Nessus:
This vulnerability scanner helps testers identify vulnerabilities, configuration problems, and even the presence of malware on web applications. This tool, however, is not designed for executing exploitations, but offers great help when doing reconnaissance.
Burp Suite:
This tool is an all-in-one platform for testing the security of web applications. It has several tools that can be used for every phase of the testing process, including Intercepting proxy, Application-aware spider, Advanced web application scanner, Intruder tool, Repeater tool, and Sequencer tool.
Step 3: Reporting And Recommendations:
After collecting data and exploitation processes, the next step is writing the web application pen testing report. Create a concise structure for your report and make sure that all findings are supported by data. Stick to what methods worked and describe the process in detail.
Aside from writing down the successful exploits, you need to categorize them according to their degree of criticality, to help the developers focus in dealing with the more serious exploits first.
A book helped me learn ethical hacking, you can read it for free here!