Web Application Penetration Testing

Robust threat exploration and manual analysis of your
web applications to uncover security gaps and identify
exploitable vulnerabilities, weaknesses, and technical flaws.

Understand the risk posed to you, and your customers, by the vulnerabilities present in your application(s). And improve the marketability of your application.

WEB APPLICATION SECURITY:
A HYBRID APPROACH

Throughout the web application penetration testing process, automated, as well as comprehensive manual testing, will be used to identify all application and business-logic related vulnerabilities. At MainNerve, all our web app security tests go beyond international standards such as OWASP and come with a detailed final report that includes an executive summary, a listing of risk ratings, remediation recommendations, and more.

IDENTIFY APPLICATION VULNERABILITIES AND EXPOSURES

Web applications frequently store sensitive information… and may even provide an external access point to your network. MainNerve’s expert penetration testing truly simulates the attacks of a real-world hacker–which includes specialized vulnerability assessments, automated scans, and manual techniques. These cyber services all work together to reduce false positives and identify application security gaps.

Test your web application against:

Data Injection

Injection
Attacks

Data Injection

Cross Site
Scripting (XSS)

Data Injection

Broken Authentication /Session Management

Data Injection

Cross Site Request
Forgery (CSRF)

Data Injection

Sensitive Data
Exposure

Data Injection

Server and Security
Misconfiguration

Data Injection

Weak
Authentication

Data Injection

Invalidated Redirects
and Forwards

Data Injection

Improper Session
Management

And more…

THE MAINNERVE PROCESS

MainNerve’s web application penetration testing services are designed to improve the security of your web applications through a comprehensive, highly-manual, risk-based approach to identifying critical vulnerabilities. And at the end of the MainNerve web app pen test process, you will receive a detailed report that clearly defines the results of the test. MainNerve application security solutions are designed to help businesses realize a resilient application that can withstand sophisticated cyber threats.

Computer chip

PLANNING

The planning phase of Web Application Penetration Testing (WAPT) process includes establishing Rules of Engagement, communicating about on- and off-limit IPs and applications (Scoping), the overall timeline of the web application penetration test, and whether or not the test will be performed using White, Gray, or Black Box methodologies.

Computer chip

RECONNAISSANCE

Once the planning phase is complete, architecture mapping and a complete web application scan are performed. This is the first true step of the web application pen test and is the foundation of an efficient and ethical attack. The reconnaissance phase… (need some copy here). It is important to note that the web application is not directly engaged (or attacked) during this phase.

Computer chip

MAPPING

The mapping phase of the web application process takes place after reconnaissance and enables the ethical hacker to understand all facets of the target web application and associated infrastructure. During this phase, component relationships, logic flow, software, and versions are all examined. The tester will crawl the application(s) to identify its work flow, functionality and potential testing/injection points. Lastly, authentication mechanisms and session handling are examined to identify potential vulnerabilities.

Computer chip

DISCOVERY

During the discovery phase of the web application penetration testing, the ethical hacker takes an in-depth look at the target application(s) to find any additional information and potential vulnerabilities. This phase focuses heavily on finding common applications, user interfaces, information leakage, authentication systems, and error messages–also known as fingerprinting. Once fingerprinting is concluded, a web application vulnerability scan is performed in order to verify potential vulnerabilities and exploits. It is important to note that all tools and scrips for the exploitation phase are prepared during this step. That being said, the discovery phase is still technically nothing more than an information gathering and attack preparation phase.

Computer chip

EXPLOITATION

The exploitation phase of the web app pen test process is where all the information gathered, tools selected, and the scripts prepared are then used to exploit flaws that allow security controls to be circumvented. The success of this step is highly dependent on the previous steps. MainNerve uses manual verification and other techniques to check all potential exploits, and if necessary, retest to validate results. The purpose of this phase is to provide proofs of concept regarding findings identified during the Discovery Phase, identify false positives, and (if within scope) gain control of the application.

Computer chip

REPORTING

At MainNerve, we consider reporting, the final phase of the web application penetration testing process, to be the most crucial phase. We take great care to ensure that we effectively communicate the value of our service and findings as thoroughly as possible. Our main goal is to ensure that all information from the WAPT is clearly understood and that a roadmap toward remediation/mitigation is well defined. A comprehensive final report detailing all testing information along with an executive summary is securely delivered at the conclusion of this phase.

WANT TO LEARN MORE?

MORE INFORMATION

More About Web Application Penetration Testing

 

Overview

The primary objective behind a web application penetration test (WAPT) is to identify exploitable vulnerabilities, weaknesses, and technical flaws in applications before hackers are able to discover and exploit them. Web application penetration testing reveals real-world opportunities hackers could use to compromise applications in order to gain access to sensitive data or even take-over systems for malicious and non-business purposes.

A WAPT is a simulated attack carried out by our highly-experienced security engineers in an effort to:

  1. Identify application security flaws present in your environment
  2. Understand the level of risk any vulnerabilities pose for your organization
  3. Help address and fix identified application flaws

Web applications frequently store sensitive information… and may even provide an external access point to your network. In the technological world of today, people expect websites to be incredibly user-friendly. This has come with the unintended consequence of increasing vulnerabilities among web apps as developers enhance their user-interfaces and develop more dynamic functionality. In order to mitigate these weaknesses, application user-improvements should always coincide with associated security testing.

 

Benefits

All web applications can benefit from a WAPT. At the conclusion of the web application penetration testing process, you will have an understanding of the risks associated with your web application, along with the solutions you need to implement in order to address those security weaknesses.

  • Identify specific application security flaws present in your environment
  • Reveal security vulnerabilities resulting from implementation errors
  • Identify vulnerabilities associated with the application’s relationship to the network infrastructure
  • Test for the existence of OWASP Top 10 risks and threats (at a minimum)
  • Assess the application security versus network- or user-based attacks
  • Identify security design flaws and exploit the most critical vulnerabilities (e.g. cardholder data)
  • Meet any industry-related regulatory compliance standards
  • View your applications through the eyes of a hacker
  • Discover where you can improve your security posture
  • Guidance to effectively remediate any uncovered vulnerabilities

 

Approach and Methodology

MainNerve’s web application penetration testing services utilize a comprehensive, risk-based approach to manually identify critical application-centric vulnerabilities that exist on all in-scope applications. We observe the web application penetration testing standard developed by OWASP. Our WAPT approach is based on the OWASP Testing Guide and our comprehensive methods cover the classes of vulnerabilities detailed in the OWASP Top 10. This can include, but is not limited to, SQL Injections, Cross-Site Scripting, Broken Authentication and Session Management, Cross-Site Request Forgery, Invalidated Redirects and Forwards, Security Misconfigurations, and more.

 

Methodology

MainNerve performs each and every web application penetration test using the methods detailed under the OWASP Testing Guide. In order to ensure a sound and comprehensive web application penetration test, we leverage industry-standard frameworks as a foundation for carrying out each of our tests. Our methodology includes specific phases with continual reporting throughout the API testing process.

 

Phases

  1. Planning
  2. Reconnaissance
  3. Mapping
  4. Discovery
  5. Exploitation
  6. Reporting

 

Deliverables

At MainNerve, we consider the Reporting/Delivery phase of our web app penetration testing process to be the most important. We take great care to ensure we effectively communicate the value of our service and findings as thoroughly as possible. Our main goal is to ensure that all information is clearly understood and that a roadmap toward remediation/mitigation is crystal clear. A WAPT Final Report with MainNerve includes:

  • Executive Summary
  • Statement of Scope
  • Statement of Methodology
  • Tools and Uses
  • Testing Narrative
  • Limitations (if applicable)
  • Findings
  • Supporting Data
  • Remediation Recommendations
  • Risk Rating

Note that all deliverables will be provided via secure file transfer—provided by MainNerve. All final deliverables are shared only with approved parties.

 

Web Application Security Testing Specifics

At MainNerve, we employ testing tools such as OWASP Zed Attach Proxy, Burp Suite Professional, and more. Although we perform the bulk of our web application penetration tests using manual techniques, automated scanning is used in circumstances where testing is limited by time and resources. Automated testing can provide additional means of either confirming or invalidating security findings encountered throughout the testing process. That being said, it is our strong belief that an effective and comprehensive WAPT can only be realized through rigorous manual testing techniques.

The following web application tests are performed side-by-side with the OWASP Top 10 in order to view, access, and/or download sensitive customer data:

  • Injection Tests: A class of attacks that rely on injecting data into a web application in order to facilitate the execution or interpretation of malicious data in an unexpected manner (e.g. SQL Injection, Cross-Site Scripting (XSS), Code Injection).
  • Insecure Communication Methods: A class of verification tests that ensure communication is being properly encrypted and with the proper level of encryption strength.
  • Improper Error Handling: A class of tests that ensure an application fails in a safe manner under all possible error conditions—both expected and unexpected. Error handling tests ensure that no sensitive information is presented to the user when an error occurs.
  • Improper Access Controls: A class of tests that ensure all processes and decisions of determining, documenting, and managing of subjects (users, devices, and/or processes) are properly granting access to the object(s) in which they should. In other words: ensuring that users cannot access things they shouldn’t. These tests also ensure that all methods and conditions by which subjects (as defined above) are allowed to, or restricted from connecting with, viewing, consuming, entering into, or making use of identified information resources, are being properly handled.
  • Session Management: A class of tests that ensure sessions are being properly transmitted and in a secure manner. Session management tests are designed to ensure that the set of controls that governs interactions between user and web-based application is solid and that a hacker cannot use a session key to hijack a session.
  • Improper Authentication/Authorization Management: A class of tests that ensure the mechanisms in place for authentication and validation are only allowing access to resources of those permitted. In other words, this series of tests ensure that it is not possible for an attacker to login without actually providing credentials… or access resources another user’s information without proper login credentials.
  • Outdated or Vulnerable Software Versions: A class of tests that identify vulnerabilities in any of the software being used to run a web application. Outdated software is generally a solid indicator that vulnerabilities exist, this series of tests also ensure that all software versions are updated.
  • Input Validation: A class of manual tests designed to identify the most common web application security weakness, the failure to properly validate input coming from the client or from the environment before use. Input validation tests all possible forms of input to understand if an application sufficiently validates input data before using it. Note: This weakness leads to almost all of the major vulnerabilities in web applications, making it a crucial test in the WAPT process.
  • Circumvent Workflows: A class of manual tests that identifies any workflow vulnerabilities in a web application. Workflow vulnerabilities involve any type of vulnerability that allows an attacker to misuse an application/system in such a way that the attacker can circumvent (not follow) the designed/intended workflow.
  • Validation of Findings: A class of manual tests that validate any vulnerabilities found during the automated portion of the WAPT process.

MainNerve web application penetration testing services include thorough examination of web-based applications with the following goals: 1) reveal security vulnerabilities resulting from implementation errors, 2) identify vulnerabilities associated with the application’s relationship to the network infrastructure, 3) assess the application security versus network- or user-based attacks, and 4) identify security design flaws.

 

FAQs

What exactly is a web application?

A web application, or “web app”, is really nothing more than a software program that runs on a web server. Essentially, web applications are programs that allow visitors to interact with a web site—such as submitting personal data.

Features like webmail, login pages, support and product request forms, shopping carts, and content management systems are all common examples of web applications.

Why should I conduct an web app penetration test?

A web application penetration test is a simulated attack against an application from the perspective of a malicious hacker. The objective is to simulate a cybersecurity attack in order to uncover vulnerabilities that might otherwise be discovered by hackers. This is done in order to gain valuable insight into the security posture of your assets and be able to fix them before hackers can cause serious damage by exploiting them.

How long does it take to conduct a web application penetration test?

The overall time it takes to perform a web application penetration test depends on the size and complexity of the in-scope application(s). That being said, most tests take anywhere from one week to a couple weeks in order to complete in full.

How much does a web app pen test cost?

This question is not easy to answer until some level of scoping has been performed. Overall, the complexity of the application will ultimately determine its cost. For example, when determining the scope of work, we take into account the following: number of dynamic pages, user roles and permissions, etc.

As discussed during the scoping section, we will determine the scope of the test by providing proposed rules of engagement. These rules will explicitly detail both in-scope and out-of-scope URLs and other resources.

What is the difference between a penetration test and a vulnerability assessment?

The short answer to this question involves exploitation and post-exploitation. Vulnerability assessments do not involve exploitation; however, will provide a complete listing of all vulnerabilities and risk ratings within the customer’s specified IP/URL range. Conversely, penetration testing goes well beyond a vulnerability assessment and delves into exploitation and post-exploitation phases.

VALUE-ADDED SERVICES

Checklist

Network Penetration Testing

Network penetration testing assists with the identification and examination of vulnerabilities for external, Internet-facing and internal, intranet systems. A network pen test will help determine whether an attack can exploit and compromise targeted systems. Take the next step to improving your business’ security with a network pen test.

Checklist

Compliance Solutions

MainNerve’s compliance solutions are designed to help fill one of the biggest challenges for businesses: staying in alignment with the exhaustive list of Governance, Risk Management, and Compliance (GRC) requirements. From PCI DSS and HIPAA, to CJIS and FINRA, MainNerve can help your business navigate the GRC landscape with specialized penetration tests.

Checklist

Social Engineering

Social engineering, in the context of information security, is commonly defined as the of persuasion and/or manipulation techniques in order to influence people into performing actions or divulging confidential information. Ensure that your business is secure by testing and evaluating your employees against general phishing and “spear-phishing” attacks.