“Years of experience have taught me that it’s not easy to find a Pen Testing service which provides insightful advice in an engaging way, whilst providing value for money. Discovering Ambersail has certainly proven to be the exception that proves the rule! I won’t be looking elsewhere in a hurry.”
Head of ICT – Hillarys Blinds
What is Web Application Penetration Testing?
It is testing a web application to find security weaknesses. Testing should be thorough and include all components of an application. For example, front-end user interfaces, the web application framework and the web stack itself.
Testing should include reviewing standard input validation issues and application logic right through to the most complex vulnerabilities such as Server-Side Request Forgery (SSRF).
OWASP is an industry-leading framework for performing web application tests. It provides a great baseline for testing and a structure for reporting. This ensures that findings and advice can easily be understood and actioned.
Web application penetration testing is extremely useful. It consistently finds issues that automated scanners miss. This can include privilege escalation, XML External Entity (XXE) injection and insecure deserialisation.
Is Web Application Penetration Testing Important?
With the explosive growth of the Internet, web applications have changed significantly. This has introduced new security risks. For example:
Mobile Support. Mobile devices host a variety of web applications. This has led to widespread introduction of Application Programming Interfaces (APIs), which are modular and reusable across different platforms. Also, Progressive Web Apps (PWAs), which provide an app-like experience built on web technologies.
In many ways these changes have increased the potential for attack. APIs provide more direct access to application functionality and to back-end data stores. This makes them a high-value target to an attacker.
The Cloud. Cloud providers such as AWS, Azure and Cloudflare have changed the way web applications are built and distributed. Managed servers maintain and organise software in the web stack.
Web Application Firewalls (WAF) can help remove the risk of certain vulnerabilities, such as SQL injection, even if the underlying application is affected.
Services managed by a cloud provider can reduce risk. Not completely however. If an attacker finds access keys for cloud services, he or she could access to sensitive data stores. This has been the root cause of many significant data breaches.
Also, if the WAF has not been set up correctly, it could be bypassed. This could lead to an attacker gaining direct access to a vulnerable application. This illustrates the importance of defence in depth.
Session Management. New forms of managing authentication, authorisation and access control are becoming more common. This includes client-side, cryptographically signed tokens. For example, JSON Web Tokens (JWT).
These frameworks allow application developers to simplify session management, standardise access controls and avoid issues such as user impersonation.
As these tokens fundamentally rely on cryptographic standards such as x.509 signatures, they suffer from similar vulnerabilities. For example, should a key be generated with a weak password or an untrusted signature accepted, valid authorisation tokens for any user could be generated by an attacker.
Is Web Application Penetration Testing Right For You?
Application penetration testing is now an accepted part of the development and maintenance cycle. Many organisations now include testing as part of their application release programme.
Some specific examples of why companies test are:
Checking that a new web application has no major security issues.
Testing networks and assets for compliance. Ensuring that they avoid fines or penalties.
Needing an independent review of their products for their clients.
Demonstrating that they have fixed problems that previously resulted in a security breach.
We Offer Expert, Affordable Testing
Our team will help you understand exactly what needs to be tested when you contact us. You will then receive a clear work plan with costs.
If you need a one off test – fine. If you need more regular testing – fine. It is up to you.
When you use Ambersail you can expect:
- Our UK based, CREST accredited test team performs all testing. We have been operating since 2002.
- Prices for testing are easy to understand. There are no hidden extras.
- Testing meets your timescales. We are ready to go when you need us.
- We only test what is in scope. You can expect honest and clear advice.
- Carefully controlled testing for live and test environments – thus minimising disruption.
- You will get direct access to our CREST test team.
- We deliver clear reports with advice on what to do next.
- Customers receive results reviews and retests.
How Do We Test?
We begin by looking at what the application does. What is the application’s purpose? What sensitive information is stored? Which functions are business-critical?
This gives us context. It shows which elements of the application are the highest value and at most risk.
Once completed, we can start to perform a more technical review of the application. We introduce a proxy between the web browser and web server so that we can intercept and manipulate traffic manually. This allows us to bypass client-side protections. We view data that is not normally presented to the client. Also send data to the web server that a browser would not generally accept.
We map the application, determining how it functions and what underlying software is in use. This knowledge is vital. Some vulnerabilities only exist on particular frameworks, such as PHP and ASP .NET. Further tests reveal hidden functionality, through both bruteforce and static code analysis.
Next we target the high-value assets discovered earlier. Often this leads to us examining critical functions such as authentication mechanisms, APIs and administrative functionality. Testing at this stage involves sending malicious inputs, validating access control restrictions and searching for unintended data leakage.
We comprehensively test any weakness we find to determine impact.
For example, should a SQL injection issue be discovered, tests on the underlying DBMS (database management system) would be performed. This measure allows us to provide defence-in-depth recommendations, protecting the stack against potential future vulnerabilities.
Contact us to get started…
The Devil Is In The Detail…
Testing that produces results comes down to the technical ability, determination and hard work of our team. We spend time to understand each technical environment we test. Once the groundwork is completed, we can create bespoke tests that really focus on each client’s environment.
Web application penetration testing needs a tailored approach to successfully yield results.
Further examples of tests we perform include:
Reviewing application functionality to ensure it functions as intended. We confirm that there are no hidden or deprecated functions available. Our objective is to find server-side vulnerabilities, such as insecure direct object references, access control issues and SQL injection.
Analysing how data is stored client-side. Our team inspects cookies, local storage and the cache to ensure they contain nothing confidential. Often custom session management configurations rely on plaintext or base-64 encoded data, stored locally to track users. This can lead to server-side data being disclosed to an attacker. In the worst case, to privilege escalation.
We review transmitted traffic to ensure it meets current encryption standards. This relies on the server supporting the most recent TLS protocols & cipher suites. These issues are not often the most serious, but in severe cases can lead to attacks such as DROWN, which significantly reduces the effective security of other services.
Normally, the supporting network will be assessed. This network test will search for services with insecure configurations, weak credentials and missing access controls.
Contact our team to get started…