The approach to test web application is as follows:
1. Application walkthrough and scope of testing:
At the beginning of the Web Application Penetration Testing process, the penetration tester understands the scope of the web application. Any doubts, such as out-of-scope paths/URL and credentials provided to test the web application, are discussed in this step.
2. Environment: Dev/Test environment:
Penetration testing is typically conducted in an isolated environment known as the development (Dev) environment. Testing in this environment ensures that any penetration testing activities do not affect the production application or its users. Once vulnerabilities are addressed and fixed, the changes can be safely implemented to the production environment.
3. Understanding the functionalities in the web applications:
In this step, the penetration tester takes the time to understand web application's various features and functionalities. Understanding how the application works and understanding its technology stack is crucial for identifying potential security flaws.
4. Preparation of applicable test cases based on functionality:
Based on the information gained from the application walkthrough, the penetester creates a set of test cases referring to the OWASP Top 10. The OWASP Top 10 is a widely recognised list of the most critical web application security risks. During penetration testing, the tester refers to this list as a guide to identify and classify vulnerabilities. These test cases are designed to identify the security of the web application and may cover various attack vectors like injection attacks, broken access control, cross-site request forgery (CSRF), etc.
5. Automated scan:
Automated scans can be performed using OWASP Zap (Zed Attack Proxy), Nessus, Burpsuite, etc. which are used to conduct an automated scan of the web application. These automated tools look for common security issues based on predefined rules and scripts.
6. Manual validation of identified gaps to remove false positives:
After the automated scan, the penetration tester manually validates the vulnerabilities identified by the automated scan. Not all findings from automated scans are actual security issues; some may be false positives.
7. Manual testing based on the test cases:
In addition to the automated scan, the penetration tester performs manual testing based on the test cases prepared in step 3. Manual testing allows the tester to simulate various attack scenarios and find vulnerabilities that automated tools may miss.
8. Documentation of proof of concept and evidence:
As the tester discovers vulnerabilities, they document the findings, along with the steps to reproduce for each vulnerability. This documentation includes proof of concept (PoC) code or evidence, demonstrating that the vulnerability exists and is exploitable.
9. Internal quality review:
Before making the report of findings, an internal quality review is conducted. This step ensures that the test results are accurate, complete, and follow a consistent methodology.
10. Report of findings:
Based on the penetration tester's documentation and internal quality review, a report is prepared. This report includes a detailed explanation of the identified vulnerabilities, their potential impact, and recommendations for remediation.This report is comprehensive and includes all the necessary information for the product team to understand the security issues and their resolution.
11. Retesting of vulnerabilities:
Once the development team has resolved the identified vulnerabilities based on the penetration tester's findings and recommendations, a retesting phase is conducted. During this phase, the penetration tester revisits the web application to verify that the reported vulnerabilities have been effectively remediated. In the retesting process, the penetration tester will attempt to exploit the previously identified vulnerabilities again to check if they have been properly patched and no longer pose a security risk. This helps ensure that the fixes implemented by the development team are effective and have not introduced any new issues.