Best practices for pen testing Web applications

Web application pen testing involves testing a running application remotely, without knowing the inner workings of the application itself, in order to find possible vulnerabilities. To avoid an inefficient scattergun approach, the best way to perform them is to carry out a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities. However, because pen testing is not an exact science, it is best to troubleshoot any existing concerns within a testing framework. Below are three steps you can take to ensure your pen test is a success:

1. Gather as much information as possible about the application and the infrastructure it resides on.

2. Perform an infrastructure-level pen test to check how the infrastructure is deployed and secured. If the application server can be exploited, it can give you more leverage in exploiting the Web application.

3. When testing the application, look for any entry points where user input is accepted and dynamic content is generated. Then, probe these areas for weaknesses in input validation, session manipulation, authentication and information leakage. If any internal information is leaked, it should be recorded and used to re-assess your overall understanding of the application and how it works.

If at any point you uncover a serious vulnerability that could lead to an application or system compromise, inform the system administrator or relevant contact about the risks. Once the tests are complete, record the results, report which vulnerabilities were tested and provide risk assessments for any vulnerabilities found.

More Information Visit our resource center for news, tips and expert advice on  pen testing techniques.  Learn how security audits, vulnerability assessment and penetration tests differ, and how these tests help promote a more secure environment. Have a question about pen testing? Ask Michael for help.

To help you plan your pen test, you can use the checklist of Web application vulnerabilities in the Open Source Security Testing Methodology Manual (OSSTMM) from the Open Web Application Security Project (OWASP), which you can download at http://www.owasp.org/documentation/testing.html. The OWASP is currently developing a framework for testing the security of Web applications, and will provide technical details on how to use source code inspection and pen testing to look for specific issues.

You can also use tools that automate the process, but it's important to note that because Web applications are usually custom-made, these tools can be ineffective. Fortunately, the latest products are more advanced. Early automated scanners pointed out long lists of vulnerabilities, but did little to assist in fixing them. New products, such as SPI Dynamics' SPI ToolKit, provide more comprehensive reports and information on how to avoid the latest threats.

Some companies choose to use consultants to perform pen tests. If you prefer this route, review their service-level agreement. For example, those who use the OSSTMM must abide by various rules and guidelines of acceptable practices, such as how testing is carried out, and how the results are handled. In addition, because pen testing depends on the skill of the tester, I recommend hiring a Certified Penetration Testing Professional (CPTP).

As a final option, you can also pen test an application after it is deployed. However, while post-deployment tests provide a final assessment of the code's ability to withstand an attack, because it occurs late in the software development life cycle, it should not be your only security testing technique, as a successful test doesn't necessarily mean your application is secure. To improve the security of your applications, you must improve the quality of the software development processes. This means testing the security at the definition, design, development, deployment and maintenance stages, and not relying on the costly strategy of waiting until the application is completed.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities Web Application Security (Also see Web Access Control) Microsoft tools won't be quick fix for SQL injection attacks New defenses for automated SQL injection attacks HP aims at IBM with application vulnerability scanning as service Information security book excerpts and reviews Kaminsky on DNS rebinding attacks, hacking techniques Webmail security: Best practices for data protection Tracing malware's steps with RE:Trace SQL injection attack infects hundreds of thousands of websites PCI Council issues clarification on Web application security Web security gateways keep Web-based malware at bay Penetration Testing and Ethical Hacking Security Services: QualysGuard Security and Compliance Suite Information security book excerpts and reviews Screencast: Penetration testing with Metasploit IBM's Watchfire halts network research, focuses on Web apps Google hacking exposes a world of security flaws Core Security selects former Sophos exec as new CEO RE:trace framework aids in OS X, Unix flaw discovery Getting started on a career in penetration testing Cyber insurer hopes to boost business with pen testing Core Security to offer Web application pen testing RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.