Checklist: what’s looked at in a web application penetration test?
The purpose of a web application penetration test is to identify and fix security risks in your system before real hackers get to it. While you can build an application with common security issues in mind, you don't really know where the flaws are until you deliberately try to expose them.
What does a web application penetration test involve?
While there are no hard and fast rules about what you should check, there are certain functions commonly tested so that results are meaningful and informative. Testers may follow a particular framework or security policy, such as OWASPs or Australian government guidelines.
Overall, web app security testers are trying to:
- Gather sensitive information.
- Identify and expose application vulnerabilities.
- Deliberately breach security as a hacker might.
- Report back and provide solutions to mitigate future risk.
A thorough team of testers look at both external threats and internal risk too. Not all threats come from outside the organisation.
Checklist for a web application penetration test
A problem with your firewall makes it easy for hackers to get in.
Here are 10 examples of testing processes your web application team may interrogate.
1) Network firewall testing
Your network firewall stops traffic you don't want from getting to your web application. A problem with your firewall makes it easy for hackers to get in. Penetration testing makes sure your security policies are working properly.
2) Spam email testing
Another common route for hackers is sending spam emails. With the right filters in place, your system should be able to remove out the most dangerous traffic. Testers make sure your filters are actually blocking the right emails.
3) Contact form testing
Your web contact forms are an easy and common way for cyber criminals to get into your system. Input validation testing is crucial if you're to remain secure, and your team should recommend what tools you should use to identify and prevent spam attacks.
4) Proxy Servers testing
Proxy servers are there to look at incoming web traffic before it reaches your application and redirect if necessary. When they're working well, you'll be aware of anything suspicious before it reaches your servers. Penetration testers can use several tools to see how well your servers react and check that appropriate protocols are in place.
5) Security Vulnerability Testing
This test looks more broadly at risks to your entire system, such as your servers and other network devices. Your testers aim to find vulnerabilities, test them, and fix them.
6) Open Ports Testing
Any open ports are a gateway to hackers. Your testers are there to assess the vulnerabilities in your open ports, and ensure you have the right security settings in place to ensure hackers can't get into your network.
7) User name and password testing
Checking all of the username and password combinations registered for your web application allows the testers to identify any weak combinations and suggest changes. Hackers have methods of cracking poor passwords, so it's crucial your organisation makes it as difficult as possible.
Penetration testers use application security testing tools to make sure your system can repel malicious cyber attacks.
8) Denial of service (DoS) attack testing
DoS attacks are when hackers flood your application to the point where it can't process normal requests, such as from your staff or customers. Penetration testers use a range of application security testing tools to make sure your system can repel these kinds of malicious cyber attacks.
9) Access permission testing
Many web applications grant varying levels of access to different employees so that they only see what they need to. However, occasionally this can go awry and your testers will check that every setting is providing access to the right areas and documents, as well as that individual users have the correct restrictions.
10) Error message testing
The wording of your error message can give away plenty of clues to hackers. Your testers check to ensure the right level of information is provided any time an error message may appear.
For more information about what's involved in a web application penetration test, or to enquire about how we can help you get started, contact the Biztech team today.