Pen testing can be a useful tool for gauging a Web application's ability to withstand an attack. However, if performed incorrectly, it is of little value and even worse, can create a false sense of security. In
Web application pen testing involves testing a running application remotely, without knowing the inner workings of the application itself, in order to find possible vulnerabilities. To avoid an inefficient scattergun approach, the best way to perform them is to carry out a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities. However, because pen testing is not an exact science, it is best to troubleshoot any existing concerns within a testing framework. Below are three steps you can take to ensure your pen test is a success:
- Gather as much information as possible about the application and the infrastructure it resides on.
- Perform an infrastructure-level pen test to check how the infrastructure is deployed and secured. If the application server can be exploited, it can give you more leverage in exploiting the Web application.
- When testing the application, look for any entry points where user input is accepted and dynamic content is generated. Then, probe these areas for weaknesses in input validation, session manipulation, authentication and information leakage. If any internal information is leaked, it should be recorded and used to re-assess your overall understanding of the application and how it works.
If at any point you uncover a serious vulnerability that could lead to an application or system compromise, inform the system administrator or relevant contact about the risks. Once the tests are complete, record the results, report which vulnerabilities were tested and provide risk assessments for any vulnerabilities found.
To help you plan your pen test, you can use the checklist of Web application vulnerabilities in the Open Source Security Testing Methodology Manual (OSSTMM) from the Open Web Application Security Project (OWASP), which you can download at http://www.owasp.org/documentation/testing.html. The OWASP is currently developing a framework for testing the security of Web applications, and will provide technical details on how to use source code inspection and pen testing to look for specific issues.
You can also use tools that automate the process, but it's important to note that because Web applications are usually custom-made, these tools can be ineffective. Fortunately, the latest products are more advanced. Early automated scanners pointed out long lists of vulnerabilities, but did little to assist in fixing them. New products, such as SPI Dynamics' SPI ToolKit, provide more comprehensive reports and information on how to avoid the latest threats.
Some companies choose to use consultants to perform pen tests. If you prefer this route, review their service-level agreement. For example, those who use the OSSTMM must abide by various rules and guidelines of acceptable practices, such as how testing is carried out, and how the results are handled. In addition, because pen testing depends on the skill of the tester, I recommend hiring a Certified Penetration Testing Professional (CPTP).
As a final option, you can also pen test an application after it is deployed. However, while post-deployment tests provide a final assessment of the code's ability to withstand an attack, because it occurs late in the software development life cycle, it should not be your only security testing technique, as a successful test doesn't necessarily mean your application is secure. To improve the security of your applications, you must improve the quality of the software development processes. This means testing the security at the definition, design, development, deployment and maintenance stages, and not relying on the costly strategy of waiting until the application is completed.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.
This was first published in March 2006