What is Web Application Penetration Testing?

What is Web Application Penetration Testing?

What is Web Application Penetration Testing?
A web application penetration test is an authorised security test of an application which methodically verifies each section of the application is not vulnerable to exploitation. Additionally the testing process identifies security issues, such as weak cryptography or logic flaws that can compromise the effectiveness of a web applications security controls. A web application pen test focuses only on evaluating the security of the web application.

The process is manual and involves active (dynamic) analysis of the application for any weaknesses, logic flaws, or vulnerabilities. Any security issues that are found will be presented to client coupled with a report detailing the impact, and recommendations for  mitigation or a technical solution.

OWASP Web Application Penetration Testing Web Application penetration TestingCheck List

Web application penetration testing process is usually based on the OWASP testing methodology, which covers:

Ref. No.
Test Name
4.2Information Gathering
4.2.1OTG-INFO-001Conduct Search Engine Discovery and Reconnaissance for Information Leakage
4.2.2OTG-INFO-002Fingerprint Web Server
4.2.3OTG-INFO-003Review Webserver Metafiles for Information Leakage
4.2.4OTG-INFO-004Enumerate Applications on Webserver
4.2.5OTG-INFO-005Review Webpage Comments and Metadata for Information Leakage
4.2.6OTG-INFO-006Identify application entry points
4.2.7OTG-INFO-007Map execution paths through application
4.2.8OTG-INFO-008Fingerprint Web Application Framework
4.2.9OTG-INFO-009Fingerprint Web Application
4.2.10OTG-INFO-010Map Application Architecture
4.3Configuration and Deploy Management Testing
4.3.1OTG-CONFIG-001Test Network/Infrastructure Configuration
4.3.2OTG-CONFIG-002 Test Application Platform Configuration
4.3.3OTG-CONFIG-003Test File Extensions Handling for Sensitive Information
4.3.4OTG-CONFIG-004 Backup and Unreferenced Files for Sensitive Information
4.3.5OTG-CONFIG-005Enumerate Infrastructure and Application Admin Interfaces
4.3.6OTG-CONFIG-006Test HTTP Methods
4.3.7OTG-CONFIG-007Test HTTP Strict Transport Security
4.3.8OTG-CONFIG-008Test RIA cross domain policy
4.4Identity Management Testing
4.4.1OTG-IDENT-001Test Role Definitions
4.4.2OTG-IDENT-002Test User Registration Process
4.4.3OTG-IDENT-003Test Account Provisioning Process
4.4.4OTG-IDENT-004Testing for Account Enumeration and Guessable User Account
4.4.5OTG-IDENT-005Testing for Weak or unenforced username policy
4.4.6OTG-IDENT-006Test Permissions of Guest/Training Accounts
4.4.7OTG-IDENT-007Test Account Suspension/Resumption Process
4.5Authentication Testing
4.5.1OTG-AUTHN-001Testing for Credentials Transported over an Encrypted Channel
4.5.2OTG-AUTHN-002Testing for default credentials
4.5.3OTG-AUTHN-003Testing for Weak lock out mechanism
4.5.4OTG-AUTHN-004Testing for bypassing authentication schema
4.5.5OTG-AUTHN-005Test remember password functionality
4.5.6OTG-AUTHN-006Testing for Browser cache weakness
4.5.7OTG-AUTHN-007Testing for Weak password policy
4.5.8OTG-AUTHN-008Testing for Weak security question/answer
4.5.9OTG-AUTHN-009Testing for weak password change or reset functionalities
4.5.10OTG-AUTHN-010Testing for Weaker authentication in alternative channel
4.6Authorization Testing
4.6.1OTG-AUTHZ-001Testing Directory traversal/file include
4.6.2OTG-AUTHZ-002Testing for bypassing authorization schema
4.6.3OTG-AUTHZ-003Testing for Privilege Escalation
4.6.4OTG-AUTHZ-004Testing for Insecure Direct Object References
4.7Session Management Testing
4.7.1OTG-SESS-001 Testing for Bypassing Session Management Schema
4.7.2OTG-SESS-002 Testing for Cookies attributes
4.7.3OTG-SESS-003 Testing for Session Fixation
4.7.4OTG-SESS-004 Testing for Exposed Session Variables
4.7.5OTG-SESS-005 Testing for Cross Site Request Forgery
4.7.6OTG-SESS-006 Testing for logout functionality
4.7.7OTG-SESS-007 Test Session Timeout
4.7.8OTG-SESS-008 Testing for Session puzzling
4.8Data Validation Testing
4.8.1OTG-INPVAL-001Testing for Reflected Cross Site Scripting
4.8.2OTG-INPVAL-002Testing for Stored Cross Site Scripting
4.8.3OTG-INPVAL-003 Testing for HTTP Verb Tampering
4.8.4OTG-INPVAL-004Testing for HTTP Parameter pollution
4.8.5OTG-INPVAL-005Testing for SQL Injection Testing Testing Server Testing PostgreSQL Access Testing for NoSQL injection
4.8.6OTG-INPVAL-006Testing for LDAP Injection
4.8.7OTG-INPVAL-007Testing for ORM Injection
4.8.8OTG-INPVAL-008Testing for XML Injection
4.8.9OTG-INPVAL-009Testing for SSI Injection
4.8.10OTG-INPVAL-010Testing for XPath Injection
4.8.11OTG-INPVAL-011IMAP/SMTP Injection
4.8.12OTG-INPVAL-012Testing for Code Injection for Local File Inclusion for Remote File Inclusion
4.8.13OTG-INPVAL-013Testing for Command Injection
4.8.14OTG-INPVAL-014Testing for Buffer overflow for Heap overflow for Stack overflow for Format string
4.8.15OTG-INPVAL-015Testing for incubated vulnerabilities
4.8.16OTG-INPVAL-016Testing for HTTP Splitting/Smuggling
4.9Error Handling
4.9.1OTG-ERR-001Analysis of Error Codes
4.9.2OTG-ERR-002Analysis of Stack Traces
4.10.1OTG-CRYPST-001Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection
4.10.2OTG-CRYPST-002Testing for Padding Oracle
4.10.3OTG-CRYPST-003Testing for Sensitive information sent via unencrypted channels
4.11 Business Logic Testing
4.11.1OTG-BUSLOGIC-001Test Business Logic Data Validation
4.11.2OTG-BUSLOGIC-002Test Ability to Forge Requests
4.11.3OTG-BUSLOGIC-003Test Integrity Checks
4.11.4OTG-BUSLOGIC-004Test for Process Timing
4.11.5OTG-BUSLOGIC-005Test Number of Times a Function Can be Used Limits
4.11.6OTG-BUSLOGIC-006Testing for the Circumvention of Work Flows
4.11.7OTG-BUSLOGIC-007Test Defenses Against Application Mis-use
4.11.8OTG-BUSLOGIC-008Test Upload of Unexpected File Types
4.11.9OTG-BUSLOGIC-009Test Upload of Malicious Files
4.12Client Side Testing
4.12.1OTG-CLIENT-001Testing for DOM based Cross Site Scripting
4.12.2OTG-CLIENT-002Testing for JavaScript Execution
4.12.3OTG-CLIENT-003Testing for HTML Injection
4.12.4OTG-CLIENT-004 Testing for Client Side URL Redirect
4.12.5OTG-CLIENT-005Testing for CSS Injection
4.12.6OTG-CLIENT-006Testing for Client Side Resource Manipulation
4.12.7OTG-CLIENT-007Test Cross Origin Resource Sharing
4.12.8OTG-CLIENT-008Testing for Cross Site Flashing
4.12.9OTG-CLIENT-009Testing for Clickjacking
4.12.10OTG-CLIENT-010Testing WebSockets
4.12.11OTG-CLIENT-011Test Web Messaging
4.12.12OTG-CLIENT-012Test Local Storage

Source: https://www.owasp.org/index.php/Testing_Checklist

Web Application Penetration Testing Tools

Web Application Penetration Testing Tools:

  • Burp Suite Professional
  • Owasp ZAP
  • Curl
  • TestSSL.sh

Leave a Reply

Your email address will not be published. Required fields are marked *