A Guide to Web Application Pen Testing | Sapphire

Penetration tests help evaluate an organisation’s overall security, working to seek vulnerabilities in an application. Because of this, there are many ways in which pen tests can be conducted.

One of these ways is ‘web application penetration testing.’ This type of pen test includes four steps:

1. Information gathering, targeting, or network mapping
2. Vulnerability mapping and exploitation
3. Reporting and recommendations
4. Remediation and ongoing support

As organisations conduct more business online and deliver services for convenience, these systems are open to being exploited. Sapphire will test these, advise on the security configuration and weaknesses within a selected website or application.

Check out our article below for your complete guide to web application penetration tests from how to conduct them to why they are important for your organisation.

What is Web Application Penetration Testing?

As mentioned above, web application pen testing requires steps to gather information, find vulnerabilities in applications, and research for any areas that attackers could exploit.

Techopedia suggests that:

‘Web application penetration testing works by using manual or automated penetration tests to identify any vulnerability, security flaws, or threats in a web application. The tests involve using/implementing any of the known malicious penetration attacks on the application. The penetration tester exhibits/fabricates attacks and environment from an attacker’s perspective, such as using SQL injection tests.’

Why are Web Application Tests Important?

Many web applications hold sensitive data, so it is important to keep them secure. The following are key sites functions that Sapphire would test:

• Ensure the application is suitably protected from unauthenticated users gaining access to customer or admin data services. In a parallel test, the web applications are suitably protected from malicious authenticated users.
• Confirm there are the correct user management practices in place to prevent horizontal and vertical privilege escalation to get personal details.
• Assess that it is correct segregation between standard and admin-based accounts to confirm that standard user A cannot see admin B’s information.
• Confirm the application encrypts data that is exchanged between the client and the website.
• Test for out-of-date software containing known security weaknesses.
• Check for information leakage and error messages that could provide an attacker valuable information to use against the site.
• Review the ability to upload and download files from the application.
• Confirm any login areas are enforcing strong passwords.

What Steps are Used in Web Application Penetration Testing?

Typically, the test will be completed in two stages, initially with no authentication to the application, and then with a valid user account for testing privilege escalation vulnerabilities and assess any weaknesses in the authentication and authorisation mechanisms.

Sapphire follows the OWASP (Open Web Application Security Project) 2017 guidelines. Sapphire’s pen testing will focus on the top 10 application threats, namely:

• OWASP A1 – Injection Flaws
• OWASP A2 – Broken Authentication
• OWASP A3 – Sensitive Data Exposure
• OWASP A4 – XML External Entities (XXE)
• OWASP A5 – Broken Access Control
• OWASP A6 – Security Misconfiguration
• OWASP A7 – Cross-Site Scripting (XSS)
• OWASP A8 – Insecure Deserialisation
• OWASP A9 – Components with Known Vulnerabilities
• OWASP A10 – Insufficient Logging & Monitoring
• Plus, other issues identified during the test

We will check the authentication and validation, all website functionality, and the overall end-to-end user journey using the guide.

What Tools are Available for Web Application Penetration Testing?

As mentioned above, Nmap, Burp Site, and others can help enumerate the target system to discover live ports.

Below is a list of some effective tools for web application pen testing:

• W3af
• Burp Suite
• SQLMap
• Metasploit
• Hydra
• John Ripper
• Skipfish
• Ratproxy
• Wfuzz
• Watcher

What are the Top Five Common Vulnerabilities Found in Web Application Penetration Testing?

Over the last year, the technological landscape has changed dramatically across the globe. More businesses than ever are investing in large and robust infrastructures, but the unfortunate truth is severe, and high-level cybersecurity weaknesses are more common today in 2021 than in 2020.

Many corporate entities focused on remote working have dedicated the bulk to securing endpoints, preventing phishing, and avoiding malicious websites or code. This has severely lacked web security because of hurried and often rushed implementations, mismanaged web application firewalls, or even a simple lack of product knowledge. That means the security testing of websites is more important now than ever before.  

Remote Working: Opening up Security Vulnerabilities via Web Application Testing

With remote working being forecast as a long-term change to how the business world operates, many companies look to make their processes and practices accessible through web browsers, using custom-built applications and APIs.

While this is a positive move, an incorrect setup or implementation of this technology opens the door for attackers to exploit underdeveloped applications, gain access to company data, and lead to potentially severe data leaks, if not worse.

1. Missing HTTP Security Headers 

Summary: 

HTTP security headers are a subset of HTTP headers. They exchange HTTP headers between a web client (usually a browser) and a server to specify the security-related details of HTTP communication.  

Problem: 

When not using one or more of the many HTTP security headers, you decrease the security of web clients interacting with the web application. This might create a wide range of security issues, opening up the system to further and more invasive attacks on your valuable data.

Solution: 

Note that omitting these headers does not make up a vulnerability, but it is a best practice. By enabling suitable titles in web applications and web server settings, you can improve the resilience of your web application against many common attacks, including click jacking. 

2. Missing Cookie Attributes 

Summary: 

Cookies are small data packets a server sends to your browser to store information, such as a webpage configuration or personal data. The browser automatically sends them along with all requests to that same server. The contents are precious to hackers, so it is essential to know how to secure these cookies. 

Problem: 

It can set several flags to increase the security of the cookies used. These include “SameSite”, “HTTPOnly” and “Secure”. If one or more of these are not set, an attacker may access the information and settings stored within each affected cookie, becoming an immediate security threat to personal and company data. 

Solution: 

The first solution is to don’t store data in cookies unless you have to. However, you can option set on all cookies across the estate. Use Session cookies if possible, or impose strict expirations. HttpOnly and the Secure flags will help keep your site safe, while SameSite flags will avoid other websites linking to your site.  

3. Insecure JavaScript Libraries in Use 

Summary: 

JavaScript libraries are collections of JavaScript functions in one or more scripts. While libraries speed up the development of websites, many of these libraries are open-source, and the prime source of these codes is often out of the end-users hands.  

Problem: 

Older versions of the JavaScript libraries used often have known security issues. Depending on how the libraries are used, this may introduce a Cross-Site Scripting (XSS) vulnerability into the application. While they usually resolve vulnerabilities in the next release of the library, it is a constant operation to stay ahead of additional problems. 

Solution: 

The immediate solution is to clearly and concisely record your company’s libraries and regularly review the currently used software libraries. Keeping abreast of changes and vulnerabilities and updating them as part of the software development life cycle will mitigate many potential problems. 

4. Weak Cipher Suites Supported 

Summary: 

Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols to secure data transfer through authentication, encryption, and integrity protection. TLS/SSL uses a combination of authentication, encryption, and message authentication code (MAC) algorithms known as cipher suites to secure data transfer.  

Problem: 

A remote host may support the use of weak cipher suites, which are insufficiently protected against known cryptographic attacks. This could allow a suitably positioned attacker to decrypt some or all the data back to plaintext, exposing the data externally. These attacks are well known, although they require an attacker to perform a man-in-the-middle attack, and the attacks are often non-trivial to execute. Common issues include weak ciphers being supported, known vulnerable encryption algorithms, padding oracle issues, and attacks against a key exchange. 

Solution: 

SSL/TLS should have their configuration hardened to support robust encryption algorithms with suitably long key lengths. Several SSL hardening solutions should be considered, such as disabling all versions of SSL and using TLS instead, and disabling all ciphers other than those that are FIPS-140 compliant or considered vital by NISP SP-800. Diffie-Hellman Key Exchange (DHE) is used, the key should be 2048 bits or greater, and the symmetric cipher’s key length should be 112 bits or greater.

In addition, disabling known vulnerable ciphers such as RC4, Anonymous and NULL should almost always be considered. There is no simple answer to weak cipher suites, so a dedicated web application penetration testing team would always be our first suggestion. 

5. Information Disclosure via Verbose Error Messages 

Summary: 

When custom error pages have not been implemented on an application, it is common to see overly verbose error messages displayed to the user when submitting an error-inducing request.

Examples include requesting a parameter or function that does not exist on the application or requesting the application to perform a process it was not otherwise intended to do, such as submitting a malformed SQL request or request parameter. These errors can vary and may take the form of Stack Trace errors, database errors, or generic application errors that unintentionally disclose other sensitive details.  

Problem: 

These error messages can often disclose sensitive information about the application’s internal workings that an attacker could use to create more tailored and sophisticated attacks based on the information disclosed. 

An example of this would be a lengthy error message suggesting a specific file cannot be opened due to access rights when a non-authorised user should not be aware such a file even exists. It is essential to note that most web application attacks go undetected because so few sites can see them. Therefore, the importance of penetration testing to secure your network against security attacks is likely to be underestimated. 

Solution: 

It should implement functionality within the application that detects when an error has occurred and redirects the user to a custom error page that does not disclose any form of sensitive data. These errors that should induce a redirect to a custom error page should include 403 Forbidden Errors, 404 Not Found pages, and 500 Internal Error pages. Alternatively, simply redirecting a user to the application’s home page can also reduce the level of information disclosed. 

Putting Web Application Security All Together 

While the top five vulnerabilities paint a worrying picture of just how hard it is to protect a company’s online solutions, the truth is these only scratch the surface of the many ways attackers seek to exploit weaknesses in a new, developing world following recent events.

That is why it would always be our suggestion that organising a web penetration test with Sapphire is the best solution in protecting your company and the most vulnerable route to its data.

Why Choose Sapphire?

Sapphire’s web penetration testing team will test the customer user journey and site functionality based on an authenticated and unauthenticated perspective. As part of our structured technical reports, Sapphire’s IT security will respond to your crucial security questions, ensuring you are protecting the correct way, such as:

“Are most web applications suitably protected from unauthenticated users gaining access to the user, customer, or admin data services?”

“Are the web applications suitably protected from malicious authenticated users?”

“Are the correct user management practices in place to prevent horizontal and vertical privilege escalation to get personal details?”

“Is there correct segregation between the users and admin accounts?”

With a 25 year history of making these guidelines our mantra in application penetration testing, Sapphire uses many checks to ensure the safety of our customers. Our dedicated team of web application penetration testers is experienced in finding unknown vulnerabilities in your networks. Our ethical hackers identify vulnerabilities via web app pen testing, helping to create a secure system for your organisation.

When carrying out any penetration testing or vulnerability assessment assignments, Sapphire testers will adhere to guidelines, codes of ethics, and principles published by:

OWASP:             The Open Web Application Security Project.

CREST:               Council of Registered Ethical Security Testers.

CHECK:              NCSC IT Health Check.

TIGER:                A commercial certification scheme for technical security specialists.

Sapphire testers will always work within current legislation; the Computer Misuse Act and its various amendments, Data Protection, and other relevant laws and acts will be observed during any testing and/or data handling procedures.

Our custom toolkits and well-established commercial penetration testing tools are not possible using automated scanners. Our pen test services also adjust to your business’s requirements from external testing, firewall configuration reviews, mobile application testing, internal infrastructure, network-level testing, and more.

Things to Take Away from Web App Pen Testing

While the potential vulnerabilities listed above are what we consider the most commonly seen, it is the tip of the iceberg with exploitable holes in the defence of most online applications. It is essential to realise that the threat of data loss and cyber-attacks are genuine and should be treated as seriously as any other security your business needs so that you’re not caught with your guard down.  

The best way to tell if your website or server is vulnerable is to conduct regular security audits, and this will often mean looking to outside specialists and experts in that field, such as Sapphire. With over 25 years of experience, a company in Sapphire’s position can relieve the pressure from your internal teams and provide the security your company needs to thrive in the new normal we have all found ourselves in. 

Across the world, we spent the last year telling each other to stay safe in these uncertain times. As company infrastructure changes to be more web-based than ever before, we keep that message in mind across all facets of our lives, personal and working. Practice safe website security measures and always be ready to protect yourself and your company’s future from an attack that you might never recover from.