Penetration testing can be a useful tool for assessing the ability of your customers' Web applications to withstand an attack. However, if you don't carry out the tests correctly, they will tell you
Web application penetration testing involves testing a running application remotely, without knowing the inner workings of the application itself, in order to find possible vulnerabilities. To avoid an inefficient scattergun approach, the best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities. However, because penetration testing is not an exact science, it is best to troubleshoot any existing concerns within a testing framework. Below are three steps you can take to ensure the penetration test is a success:
- Gather as much information as possible about the application and the infrastructure it resides
- Perform an infrastructure-level penetration test to see how the infrastructure is deployed and
secured. If the application server can be exploited, it can give you more leverage in exploiting
the Web application.
- When testing the application, look for any entry points where user input is accepted and dynamic content is generated. Then, probe these areas for weaknesses in input validation, session manipulation, authentication and information leakage. If any internal information is leaked, it should be recorded and used to re-assess your overall understanding of the application and how it works.
If at any point you uncover a serious vulnerability that could lead to an application or system compromise, inform your customer's system administrator or relevant contact about the risks. Once the tests are complete, record the results, report which vulnerabilities were tested, and provide risk assessments for any vulnerabilities found.
To help you plan a penetration test, you can use the checklist of Web application vulnerabilities in the Open Source Security Testing Methodology Manual (OSSTMM) from the Open Web Application Security Project (OWASP). OWASP is currently developing a framework for testing the security of Web applications, and will provide technical details on how to use source code inspection and penetration testing to look for specific issues.
You can also use tools that automate the process, but it's important to note that because Web applications are usually custom-made, these tools can be ineffective. Fortunately, the latest products are more advanced. Early automated scanners pointed out long lists of vulnerabilities, but did little to assist in fixing them. New products, such as SPI Dynamics' SPI ToolKit, provide more comprehensive reports and information on how to avoid the latest threats.
Not only should you penetration test an application before deployment but also afterwards. Post-deployment tests provide a final assessment of the code's ability to withstand an attack in the wild within your customer's network environment. However, because it occurs late in the software development life cycle, it should not be the only security testing technique, as a successful test doesn't necessarily mean the application is secure. To improve the security of their applications, your customer must improve the quality of the software development processes. This means testing the security at the definition, design, development, deployment and maintenance stages, and not relying on the costly strategy of waiting until the application is completed.
Before you perform a penetration test for any customer you will need to provide them with a service-level and code-of-conduct agreement covering how testing will be performed and how the results will be handled. If you use the OSSTMM, for example, you must abide by various rules and guidelines of acceptable practices. Because penetration testing depends a lot on the skill of the tester, I recommend that your staff acquire certification, such as CPTS (Certified Penetration Testing Specialist).
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in February 2007