Web Application Penetration Testing
Web Applications often store PII and provide sensitive functionality. Due to this, Web Application Penetration Testing have become popular targets for malicious threat actors. Successful compromise of a web application may lead to loss of sensitive data, loss of reputation and access to the underlying server. It is crucial that web applications are thoroughly tested to ensure that they do not pose a security risk.
At Pentest People, we are regularly asked about what level of penetration testing is needed for a web application, and the answer is completely dependent on the web application, what data is held within it and client requirements. The purpose of this article is to discuss the differences between a manual penetration test and a vulnerability scan
What is a Penetration Test?
A Penetration Test is a simulated attack, carried out manually by a trained security consultant. The consultant will follow a methodology to look for known vulnerabilities and common attack vectors. Vulnerabilities are verified, a proof of concept is created and mitigation advice is issued within the context of a report.
Vulnerability scanning is part of our methodology for a full penetration test, however, the consultant will be looking for business logic and more in-depth vulnerabilities such as weak/broken access controls that allow users to view others sensitive data.
What is a Vulnerability Scan?
A vulnerability scan uses automated tools to look for ‘low hanging fruit’ which is loosely defined as obvious vulnerabilities that require little or no skill to locate. Vulnerability scanners are not intelligent, they are good for finding vulnerabilities such as ‘Missing HTTP security headers’ like X-frame options missing from HTTP responses, however, they will not identify business logic vulnerabilities like the ability to view one users data from another account.
These should in no way, be considered full penetration tests. Similar to a penetration test, the vulnerabilities discovered and mitigation advice will be issued in a report, however, the findings will not be verified, nor will a proof of concept be created. The findings from the automated tools are trusted, which will typically include false positives. The verification of these issues will be down to the company in question.
When is it Necessary to Perform
These Types of Tests?
When should I perform a Penetration Test?
A Penetration Test should always be performed before any automated security scanning. Automated scanning does not provide a thorough assessment of the application.
A report with no critical or high risk vulnerabilities from an automated scan cannot be considered a clean bill of health for the application.
When should I perform a Vulnerability scan?
Once a full penetration test has been completed, vulnerability scanning should be arranged at quarterly intervals.
A Penetration Test is a snapshot in time, quarterly vulnerability scanning should be undertaken to look for any obvious changes between penetration tests.
OWASP
OWASP (open web application security project) is a leading organisation that focuses on publishing web application vulnerabilities and mitigation advice. They are well known for their ‘Top 10 vulnerabilities’, a report that is frequently updated with the latest threats toward application technologies.
OWASP Top 10 Comparison
| Category | Application Penetration Test | Vulnerability Scan |
| Injection Vulnerabilities | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | Limited detection Likely false positives |
| Broken Authentication | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | Limited detection Likely false positives |
| Sensitive Data Exposure | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | Limited detection Likely false positives |
| External Entities (XXE) | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | Limited detection Likely false positives |
| Broken Access Control | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | None |
| Security Misconfiguration | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | Limited detection Likely false positives |
| Cross-site Scripting | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | Limited detection Likely false positives |
| Insecure Deserialization | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | None |
| Using components with known vulnerabilities | Detection Exploitation Proof of concept Verification of Vulnerabilities No false positives | None |
| Insufficient Logging & Monitoring | SOC Readiness assessments available | None |