Web application penetration testing

10 Tests Covered Under the Gamut of Web Application Penetration Testing

Listen on the go!

Though Web Application Penetration Testing has been researched in great details, there are a lot of us who may be coming across the terminology for the first time in life. The following article introduces the multiple areas covered under Web Application Testing at a very high level.

First things first. What is Web Application Security Testing?

Simply put, testing the security of a web application refers to the evaluation of and applications inherent security. To expose loopholes and technical glitches of applications, organizations need to implement an all-inclusive security testing policy. This, along with a foolproof risk mitigation plan, can make a good recipe for a fully secure web application.

The 10 Tests under Web Application Penetration Testing

Web Application Penetration Testing comprises of the following 10 tests:

  • Information Gathering
  • Configuration and Deployment Management Testing
  • Identity Management Testing
  • Authentication Testing
  • Authorization Testing
  • Session Management Testing
  • Input Validation Testing
  • Error Handling
  • Business Logic Testing
  • Client Side Testing

The following sections describe very briefly the above listed activities, and the sub-activities that need to be conducted as part of each specific activity.

Information Gathering: Testing for Information Gathering includes activities such as conducting search and reviews for any information leak (across metafiles, webpage comments, and metadata), apart from fingerprinting the entire web application, server, and framework.

Configuration and Deployment Management Testing: Even a tiny error in the configuration of the deployed server can make the web application unstable and weak. Thus, properly testing configuration management is a business-critical activity that must be performed. This includes activities such as testing the configuration of the application platform, the infrastructure, files that are old or contain sensitive data, the HTTP security, and so on.

Identity Management Testing: Testing for Identity Management is very crucial for establishing the brand of an application. This includes testing of processes such as user registration and account management, how are the role definitions specified, and whether or not the username is strong.

Authentication Testing: Authentication testing is used to verify the digital identities and genuineness of people and products, for example, the true identity of someone trying to access the system. Authentication testing involves testing credentials, strength of passwords and security questions, and so on.

Authorization Testing: The process of authorization comes after authentication testing is successful. Authorization Testing is used to check the login permissions for a system along with the rules set for bypassing the checks and other privilege settings.

Session Management Testing: Session Management is a core activity that controls all interactions (logging in to logging out) between users and web applications. Considering that these interactions depend on the security, nature of the site, etc., the session management testing includes testing for cookies, schemas, session variables that are exposed, session timeouts, and so on.

Input Validation Testing: Incomplete or improper input validation can create severe application vulnerabilities. Validation testing is used to test all types of input and Includes several forms of Injection Testing, testing for cross site scripting, buffer overflow, vulnerabilities of different types, and so on. For in depth details, refer: www.owasp.org/index.php/Testing_for_Input_Validation

Error Handling: A robust error/exception handling strategy helps reduce the chances of uncaught errors, helps hide critical information from hackers and malicious attacks, and thus proves very important for safeguarding business-critical data.

Business Logic Testing: Testing Business logic happens to be the toughest – as also the most harmful, if not tested properly. In ways more than one, it is like testing the functionality of an application, and relies on the skills and knowledge of business processes of testers. A few common tests include testing the logic validation, checking the integrity, timing, defense mechanism in case of misuse, uploading of malicious or wrong file types, and so on.

Client-Side Testing: Client-Side testing refers to testing the code execution on the client-side, usually within a web browser or browser plugin. This involves testing for a few injection types, scripting, websockets, web messaging, and so on. For in-depth details, refer: www.owasp.org/index.php/Client_Side_Testing

Reference: For in-depth reading, visit the Open Web Application Security Project (OWASP) web application security testing methodology.