Web Application Penetration Testing: How Does it Work?

Web Application Penetration TestingYour colleagues or your boss are talking about penetration testing (or pen testing or penetration test or pen test or pentest). You’re asked to explain them what it is, how it’s done, or what is tested? (cause you’re the tech one, so you surely know that stuff, right? Especially if it’s not your field.)

So here are some key elements to answer them, clear and simple. For more details, feel free to contact us.

 

Objective of a Web Application Penetration Testing?

To strengthen the security of your web platform, webservices and/or related APIs.

 

What is it?

Penetration test = a realistic potential attack on your web application/ service/ solution/ system.

We use the current tools and methods of malicious hackers to attack you as they could do. The aim is to find flaws and vulnerabilities, so that you can fix them before attackers use them against you.

More concretely, we try to access to data, network, services, etc. that shouldn’t be public or allowed for that category of users. We investigate if functionalities could be misused.

 

How Does it Work? How Do we Do a Pentest?

Let’s have a short reminder about how’s working a website.
A request is sent by the user’s browser to the web server, which answers with the code of the internet page. This code is then used by the browser to build the web page.

Our pentesters (the security experts specialized in pen testing) intercept the traffic between the browser and the web application to look into the web request. They verify how the request is written, if they can add elements, modify fields, receive more information…

Their purpose is to understand how is working the web application and then to try to manipulate its functioning, in order to make it send “unnormal” answers (not the one planned).

The interesting “unnormal” answers can be:

  • displaying database elements,
  • enumerating documents,
  • disclosing technical information (as the technologies and the versions used),
  • bypassing restrictions (as sign-in without credentials),
  • crashing the service,
  • redirecting users on other – potentially malicious – websites,
  • defacing webpages (in order to damage the company’s image),
  • etc.

 

What is Tested?

Our pentesters test:

  • Every functionality of the web application
  • Implementation & usages of the third-party components
  • Server and its different services (web, mail, FTP, SSH…)
  • Security configurations of each element
  • Company’s politic: updates, team work methods (processes, how is the code shared? …).

Penetration testing can focus only on technical elements or also include social engineering. For more details, this article explains what social engineering in a web security audit is.

 

What Happens Once the Pentest is Finished?

The results of the tests are reported. We document very precisely what has been tested and what was found. The developers will be using the report to remediate to the flaws.

It’s mostly a technical report. Everything that was tested is listed, and it details:

  • which flaws and vulnerabilities were found,
  • where they were found,
  • what they are,
  • why they are an issue, and how they can be used by attackers,
  • how they were exploited during the penetration testing,
  • and remediation recommendations to correct them.

The vulnerabilities are rated taking into consideration the probability and potential impact. You can read more about how the risks associated with each vulnerability are assessed.

 

After reading this article, we believe you’ll be able to answer the main questions of your colleagues or boss about penetration testing. To go further, we have answered 7 questions to help you get the most out of a penetration testing. It will give you some good clues if you need to advice someone about when to do a pentest, which technologies are tested, etc.

For more specific information, don’t hesitate to contact us.