Web Application Penetration Test

Pre-Engagement Phase

1. Define Scope:

   • Identify target application(s) and environment.

   • Establish testing boundaries and limitations.

   • Obtain necessary permissions and legal clearances.

2. Information Gathering:

   • Passive Reconnaissance:

     • Collect information without interacting with the target directly.

     • Tools: Google Dorking, Shodan, Censys.

     • Key Items: Domain information, IP addresses, DNS records, publicly exposed sensitive information.

     • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, Cybrary​ (Cybrary)​.

   • Active Reconnaissance:

     • Conduct WHOIS lookup.

     • Identify subdomains and enumerate directories.

     • Tools: WHOIS, Sublist3r, Dirb/Dirbuster, Nmap.

     • Key Items: Subdomains, open ports, services, directory structure.

     • Sources: Blue Goat Cyber​ (Blue Goat Cyber)​, RSI Security​ (RSI Security)​.

Testing Phase

1. Configuration and Deployment Management Testing:

   • Verify secure configuration of servers, frameworks, and application components.

   • Tools: Nikto, Nessus.

   • Key Items: Default accounts, unnecessary services, outdated software, sensitive information in configuration files.

   • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, Cybrary​ (Cybrary)​.

2. Authentication Testing:

   • Test for weak passwords and default credentials.

   • Evaluate multi-factor authentication (MFA) implementation.

   • Tools: Hydra, Burp Suite Intruder, Medusa.

   • Key Items: Password policies, MFA implementation, brute force protection, session fixation vulnerabilities.

   • Sources: Blue Goat Cyber​ (Blue Goat Cyber)​, RSI Security​ (RSI Security)​.

3. Session Management Testing:

   • Examine session tokens for predictability and entropy.

   • Tools: Burp Suite, OWASP ZAP.

   • Key Items: Session token security, session hijacking, session fixation, secure storage and transmission of session cookies, session timeout and logout functionality.

   • Sources: Blue Goat Cyber​ (Blue Goat Cyber)​, RSI Security​ (RSI Security)​.

4. Access Control Testing:

   • Test for broken access controls and authorization issues.

   • Tools: Burp Suite, Postman, OWASP ZAP.

   • Key Items: Vertical and horizontal privilege escalation, server-side access control enforcement, IDOR vulnerabilities.

   • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, Cybrary​ (Cybrary)​.

5. Input Validation Testing:

   • Test for SQL Injection vulnerabilities using automated tools and manual techniques.

   • Tools: SQLmap, Burp Suite, OWASP ZAP.

   • Key Items: SQL Injection, Cross-Site Scripting (XSS), Command Injection, File Inclusion, input validation mechanisms.

   • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, Cybrary​ (Cybrary)​.

6. Testing for Business Logic Vulnerabilities:

   • Identify and exploit flaws in the application’s business logic.

   • Tools: Manual testing, custom scripts.

   • Key Items: Manipulation of business workflows, integrity of multi-step processes and transactions.

   • Sources: Blue Goat Cyber​ (Blue Goat Cyber)​, QualySec​ (Qualysec)​.

7. Client-Side Testing:

   • Test for Cross-Site Request Forgery (CSRF) vulnerabilities.

   • Evaluate the security of JavaScript and client-side code.

   • Tools: Burp Suite, OWASP ZAP, Browser Developer Tools.

   • Key Items: CSRF, JavaScript security, HTML5 and browser storage, Clickjacking and UI redressing attacks.

   • Sources: RSI Security​ (RSI Security)​, Cybrary​ (Cybrary)​.

8. API Testing:

   • Identify and map out all API endpoints.

   • Tools: Postman, Burp Suite, OWASP ZAP.

   • Key Items: API authentication, input validation and output encoding, excessive data exposure, rate limiting.

   • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, Cybrary​ (Cybrary)​.

9. Cryptography Testing:

   • Verify the use of strong encryption algorithms and protocols.

   • Tools: SSL Labs, OpenSSL, TestSSL.sh.

   • Key Items: Encryption algorithms and protocols, SSL/TLS implementation, cryptographic storage, cryptographic keys and certificates.

   • Sources: Blue Goat Cyber​ (Blue Goat Cyber)​, RSI Security​ (RSI Security)​.

10. Denial of Service (DoS) Testing:

    • Identify and test for potential DoS attack vectors.

    • Tools: LOIC, HOIC, Slowloris.

    • Key Items: Rate limiting and throttling, application’s ability to handle high loads.

    • Sources: Cybrary​ (Cybrary)​, QualySec​ (Qualysec)​.

11. Testing for Error Handling:

    • Check for information leakage through error messages.

    • Tools: Burp Suite, OWASP ZAP.

    • Key Items: Error message handling, response to unexpected inputs, exposure of stack traces and debug information.

    • Sources: RSI Security​ (RSI Security)​, Cybrary​ (Cybrary)​.

Reporting Phase

1. Document Findings:

   • Create detailed reports of vulnerabilities discovered.

   • Tools: Dradis, Faraday.

   • Key Items: Steps to reproduce, potential impact, remediation recommendations.

   • Sources: QualySec​ (Qualysec)​, Cybrary​ (Cybrary)​.

2. Provide Executive Summary:

   • Summarize key findings for non-technical stakeholders.

   • Tools: Custom templates.

   • Key Items: Overall security posture, strategic improvements, next steps.

   • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, RSI Security​ (RSI Security)​.

Post-Engagement Phase

1. Remediation Support:

   • Offer guidance and support for fixing identified vulnerabilities.

   • Tools: Jira, Confluence.

   • Key Items: Verification of applied fixes, best practices for maintaining security.

   • Sources: RSI Security​ (RSI Security)​, Cybrary​ (Cybrary)​.

2. Review and Reflect:

   • Conduct a post-engagement review with the team.

   • Tools: Team meetings, retrospective tools.

   • Key Items: Lessons learned, potential improvements, updates to methodologies and tools.

   • Sources: OWASP Testing Guide​ (Blue Goat Cyber)​, QualySec​ (Qualysec)​.

References

• OWASP Testing Guide

• OWASP Top 10

• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment