From simple forms to complex e-banking systems, we’ve tested thousands of web applications over almost two decades. And… we can confirm that a large percentage of web application exploitation vectors can only be discovered through penetration testing.
Web applications were the most common attack vector in 2023, a feature of 80% of incidents and 60% of breaches.
Here are the top recommendations we would give any company considering a web application pen test.
What Is Web Application Pen Testing
Web application pen testing is when an offensive security team approaches a web application with a hacker’s mindset.
Penetration testers test web applications before, during, and after development and find web application exploitation paths that would otherwise be missed by scanning tools or by forgoing testing in the first place.
- Hackers test web applications by linking information from different places that might enable someone to exploit a web application.
As an example of an exploitation pathway that could be missed by scanners, imagine an application that lists all user UUIDs (long strings of characters linked to users) at some place.
In this application, there is a “change your password" functionality that takes the UUID of the current user as input.
If the application does not check that the provided UUID belongs to the user, it could affect any user of the application and eventually lead to account takeover.
An experienced web application pen testing team would find this exploitation pathway and flag it to the application’s owner.
Web Application Testing Is Not The Same As Vulnerability Scanning
Our penetration testing vs. vulnerability scanning blog post covers this common misconception in more detail.
The bottom line: The results of a vulnerability scan (e.g., you have x number of CVEs, y number of High-Severity Vulnerabilities, z number of Medium-Severity Vulnerabilities, etc.) should not be taken as a comprehensive assessment of your real risk level.
In fact, some of the most dangerous exploitation pathways our testers find involve linking a series of low-risk vulnerabilities to give a user access to parts of a web application they shouldn't have.
Experienced penetration testing teams will find web application risks that vulnerability scanners or automated penetration testing tools miss.
When Should You Do Web Application Pen Testing?
At a minimum, web application testing should happen before the application goes live.
However, it is a better idea to test a web application during development to ensure there is enough time for fixes.
Ideally, testing will be an integral part of the application's development processes. After major changes to the application are made, it should be tested to ensure no new exploitation pathways have emerged.
It is important to make sure that if testing an application in the pre-development stage, testing also happens when the application is fully built, i.e., you don’t want the app to undergo any major changes before deployment after testing has already taken place.
Our team recommends considering a penetration test as validation of an application’s initial security requirements as outlined during the design stage.
A pen test is a great way to validate that initial requirements have been met before an application is shipped.
How to Prepare for Web Application Testing
Organisations should prepare a testing environment to ensure testing doesn't affect their live environment.
To make the most of any web application pen testing engagement, it's critical that companies create mock data in different accounts to give to the testers so they can review an application extensively and consider all possible exploitation pathways.
Preparing a web application testing environment ahead of time will:
- Give testers the data they need to ensure an application is fully tested. For instance, when testing applications that involve customer accounts, providing testers with comprehensive access from the start of the test allows them to dive deep and uncover vulnerabilities that could be critical.
- Reduce testing costs, timelines, and delays. If testers lack the necessary details to proceed past the initial user steps (for example, after logging into an application), they cannot explore the next steps and thoroughly assess the application's core functionalities. Lacking this kind of data hampers the testing process and wastes time at the start of a test. It’s better to give access to the data testers need from the beginning of the test.
- Improve testing accuracy. To an extent, testers can be more "aggressive" with their testing in a mock environment. This is beneficial for the company being tested as it means that testers can uncover vulnerabilities that might not be found when testing in live environments. When testing a live application, testers need to avoid exploits that have the potential of causing any type of damage.
Hire an Experienced Web Application Pen Test Provider
You can get pen testing providers that cost £ and providers that cost £££+.
However much you spend on a penetration testing service for a web application, you need to make sure they are:
a) Trustworthy. Look for accreditations and experience running offensive security engagements within regulated frameworks like CBEST and TIBER.
b) Technically expert. Look for providers that develop their own testing tools and allocate a portion of staff time to continuous learning.
c) Highly experienced. The organisation and the individuals performing testing should have at least several years of experience testing across a variety of industries.
Considering Web Application Penetration Testing?
SECFORCE has been testing web applications since 2008, helping hundreds of organisations find and remove exploitation pathways in their web-facing applications.
Contact us for an appraisal of your testing needs.
