Web Security

    A Guide to Web Application Penetration Testing

    Web application penetration testing is necessary for securing web apps. From E-commerce to healthcare, web pen testing is essential to businesses today.

    by Mike Azzara

    Key Points

    • Web application penetration testing is essential for protecting data, and is distinct from other cybersecurity concerns.
    • Website penetration testing should be performed during the software development cycle to reduce costs.
    • After an application has launched, automated tools can be used to perform regular web pen testing.

    Web applications are an excellent way to work more easily with clients, make services more accessible for customers online and even give employees better access to information like healthcare and retirement plans. But web applications also give hackers and criminals another way to attack your business. And since the apps are online and often open to the public, web applications require a specific set of cybersecurity considerations and a unique type of testing to protect them.

    Web application penetration testing, or web pen testing, is a way for a business to test its own software by mimicking cyberattacks to find and fix vulnerabilities before the software is made public. As such, it involves more than simply shaking the doors and rattling the digital windows of your company's online applications. It uses a methodological approach employing known, commonly used threat attacks and tools to test web apps for potential vulnerabilities. In the process, it can also uncover programming mistakes and faults, assess the overall vulnerability of the application and even reveal problems with supporting backend systems.

    Why Are Web Application Pen Tests Performed?

    Web applications include e-commerce front ends, healthcare applications, mobile apps, and just about any kind of sensitive information than you can think of. So it's incumbent upon companies to make those apps secure in order to protect customers’ credit card and personal information as well as their own IT systems, which can be attacked via a web application.

    Beyond cybersecurity, web application pen tests have another benefit. Such testing during the software development process will also lead to a better, more polished final product or service. Web pen tests can reveal unintended crashes or application bugs before customers and clients start complaining about them.

    Ultimately, web applications are going to contain sensitive data, including financial and medical information, that is particularly attractive to attackers. And because web applications are by their very nature open to more users, they need added protection.

    Finally, cybersecurity is a moving target. New technologies are constantly being introduced and there's no shortage of cybercriminals looking for new ways to exploit them. So regular web pen testing should be scheduled for any apps your company has deployed.

    Penetration Types and Testing Stages

    Web application penetration testing can be performed at various points during application development and by various parties including developers, hosts and clients. There are two essential types of web pen testing:

    • Internal: Tests are done on the enterprise's network while the app is still relatively secure and can reveal LAN vulnerabilities and susceptibility to an attack by an employee.
    • External: Testing is done outside via the Internet, more closely approximating how customers — and hackers — would encounter the app once it is live.

    The earlier in the software development stage that web pen testing begins, the more efficient and cost effective it will be. Fixing problems as an application is being built, rather than after it's completed and online, will save time, money and potential damage to a company's reputation. 

    The web pen testing process typically includes four stages:

    1. Information Gathering and Planning: This comprises forming goals for testing, such as what systems will be under scrutiny, and gathering further information on the systems that will be hosting the web app (because they become targets, too).
    2. Research and Scanning: Before mimicking an actual attack, a lot can be learned by scanning the application's static code. This can reveal obvious vulnerabilities. In addition, a dynamic scan of the application in actual use online will demonstrate how it works in real world conditions and if it has any additional weaknesses.
    3. Access and Exploitation: Using a standard array of hacking attacks ranging from SQL injection to password cracking, this part of the test will try to exploit any vulnerabilities and use them to determine if information can be stolen or unauthorized access can be gained to other systems.
    4. Reporting and Recommendations: At this stage an analysis is done to reveal the types and severity of any vulnerabilities, the kind of data that may have been exposed and whether a cybercriminal could obtain access undetected.
    5. Remediation and Further Testing: Before the web app is launched, patches and fixes will need to be made to eliminate the detected vulnerabilities. And additional pen tests should be performed to confirm that any loopholes were closed and no additional issues arose.

    Penetration Testing Methods

    Fortunately, there are several well-established protocols for conducting web application pen testing. Some examples of security industry guidelines include:

    How to Secure with the PCI Data Security Standard.[i] From the PCI Security Standards Council and aimed at any organization that accepts payments via credit and debit cards, PCI focuses on e-commerce. It was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa.

    Penetration Testing Methodologies. [ii]From the nonprofit Open Web Application Security Project (OWASP), which has member chapters around the world, this provides detailed technical web penetration testing guidance, including separate discussion about mobile app testing and even firmware

    Open Source Security Testing Methodology Manual.[iii] From the Institute for Security and Open Methodologies (ISECOM), this page includes various open reports on cybersecurity best practices, including material about web pen testing and a cybersecurity playbook that promises small and medium-sized businesses “a focused, complete, customizable IT security plan for protecting against cyberattacks and data theft.”

    While these standards can provide an excellent starting point for web pen testing, companies should recognize that each web app is unique. Different types of businesses may require different kinds of testing. For example, a healthcare app that has to meet HIPAA requirements may require a different degree of testing than an app for configuring and buying a bicycle.

    Furthermore, there are a wide variety of attacks to consider in web pen testing, such as:

    • Cross-site Scripting (XSS), a technique hackers use to inject malicious scripts into a web application, which can then infect or hack into other customers using that web app.
    • SQL Injection, a method of inserting data queries into a web app with the goal of gaining access to the company's backend database.
    • Password Cracking, which comprises a variety of techniques to reveal passwords. This type of attack can leverage a web app to try to gain unauthorized access to business data and systems.

    Tools to Help Perform Penetration Testing

    In concert with each stage of web application penetration testing there are associated tools. Using such software tools helps speed up the process by automating tests, and can apply rigorous pen testing procedures to a variety of different web applications.

    In general, the available web pen testing tools work by scanning the application’s code in search of vulnerabilities to exploit. They often specialize in identifying a particular type of vulnerability. For example, many common free tools, such as Nmap, are available to uncover details about the app such as the scripting language used.[iv] Network scanners are used to find the geolocation of the host, the type of server software being used and port numbers that are open. Probe scanners automate the process of looking for vulnerabilities, such as whether the app is on a server running outdated software. There are also a variety of tools that look for specific exploitations, like SQL Map, which performs SQL injections to try to take over databases.[v]

    The Bottom Line

    Web applications present a unique and potentially vulnerable target for cybercriminals. The goal of most web apps is to make services, products and tasks easier for customers and employees. But it's also critical that web applications do not also make it easier for criminals to break into systems. That's why web application penetration testing is essential, not just after an app is created but throughout the software development process.

    [i]How To Secure With The PCI Data Security Standard,” The PCI Security Standards Council

    [ii]Penetration Testing Methodologies,” OWASP

    [iii]Open Source Security Testing Methodology Manual,” ISECOM

    [iv] NMAP.org

    [v] SQLMap.org

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top