What is a web application penetration test?

Web applications are the most targeted assets by the attackers, Therefore, organizations should be the most sensitive in terms of information security and should pay attention to the security of their web applications. In the Web penetration tests, all input fields of the application are determined by Ebruu researchers. After identified the input fields in the applications, all the technical, business logic and network-level vulnerabilities in the applications are detected and also exploited(if suitable) to make a POC. The tests are carried out in three different methods: manual, automated and hybrid.

Web application testing methodology and stages:

1. Information Gathering

All publicly accessible passive and active information about the web application is collected and used as attack vendors during penetration testing.  Ebruu researchers will also attempt to gather sensitive information, which is not exposed to any external or unauthorised entity.

2. Vulnerability Identification

For each of the web applications, a manual test is performed. And also variety of vulnerability scanners are used to find vulnerabilities in the web application. Scan reports are then analysed to confirm vulnerabilities and eliminate false positives.  OWASP testing methodologies and business logic tests are used specifically in web application testing with separate tests for external and internal network threats.

3. Exploit Progress

Once vulnerabilities are identified, we look for exploits available for those vulnerabilities and identify what, if any sensitive information can be gathered from them. These exploits can include maintaining access for later use or modifying configurations on the web application. These activities are all undertaken based on client agreement.

4. Report Writing

Ebruu researchers report all findings of the web application penetration test with risk ratings along with recommendations on solving the issues found in the web application.

5. Verification Test
We also provide a free verification test service for our clients, it is performed once for every single vulnerability after the client has fixed all security vulnerabilities.

Some of our web application penetration testings steps;

  • Information Gathering via Whois Query
  • Try to find out all websites hosted on same IP address.
  • Try to find out all websites via reverse dns queries
  • Try to find out all subdomians of the all target domains
  • Perform a full TCP/UDP port scan for all website’s IP address.
  • Try to identificate new web interfaces on the different TCP ports.
  • Look at the Google search engine to find out subdomins. Google dorks.
  • Information gathering(subdomains,leaked credentials) via Pastebin/Github
  • Try to find out new subdomain via DNS Dumpster
  • Perform a bruteforce to DNS server with a good wordlist to identificate new subdomains.
  • Analyse error message, banner information etc for information gathering.
  • Look at the Archive.org records
  • Try to perform subdirectory tests
  • Identificate Directory Listing Vulnerabilities by visiting subdirectory
  • Identificate Directory Listing via Google Dork
  • Try to gather information via robots.txt, elmah.axd, trace.axde
  • Elmah.axd and Trace.axd Session Stealing Tests
  • Try to identificate target operation systems, databases etc
  • Try to find out new files under discovered new subdirectories with different extensions
  • Try to identificate used CMS application on the target system
  • Scan this CMS application with special tools.
  • Try to identificate installed plugins of these CMS and known vulnerabilities on this plugins
  • Search all known vulnerabilities related to CMS version
  • Try to identificate admin pages identification of the target websites.
  • Try to check if there is any backdoor on the target systems with known web backdoors
  • Data transmission security chekcs(HTTP usage, without HSTS header,unsecure SSL/TLS etc)
  • Discover dangerous HTTP method usage such as PUT and DELETE
  • Username enumeration tests via error or warning messages
  • Username enumeration via mis-developments
  • Brute force testing for web form fields.
  • Try to bypass WAF systems
  • Manuel crawling of the target applications
  • Find out all input fields throughout the target applications
  • Hidden form fields tests
  • Source code review of HTML and javascript files
  • Identifiying and abusing of unused captcha forms
  • CSRF vulnerability check on the sensitive functions of the targets
  • Anti-CSRF token bypass techniques
  • Session manipulation tests
  • Cookie attributes tests
  • Session id weaknesses tests
  • Vulnerabilities on the login functions
  • Login function(authentication) bypass techniques
  • Known and published vulnerabilites on the targets
  • Two-factor authentication bypass techniques
  • Session fixation tests
  • Directory traversal vulnerabilities
  • Authorization issues
  • Try to access other user asssets unauthorized(files,private assets)
  • IDOR tests
  • Try to find out weaknesses on the logout function of targets
  • Privilage escalation tests with different role users
  • Focus on just business logic issues of the target’s functions
  • HTTP Header tests
  • User agent manipulation test
  • X-Forwarded-For Restriction bypass tests.
  • XSS Tests(reflected,stored,dom,blind)
  • Sql Injection Tests
  • Code injection tests
  • Command Execution tests
  • SSRF Tests(local,remote)
  • LFI/RFI tests
  • Try to focus on web servis tests(ASMX,restful,WCF)
  • Business and technical tests on the web services
  • Spesific tests for related to used technologies(nodejs,ajax,frameworks etc)
  • Try to use right attack vectos depands on used database/development platforms
  • Password reset functionality abuse testing
  • Takeover account via spesific functionality of the targets(password change,reset etc)
  • Image Captcha’s size manipulation DoS tests
  • Application Level DoS tests(abusing functions,BoF etc)
  • Session timeout tests
  • Secure,httponly,HSTS header usage tests
  • Advenced authentication and authorization tests.
  • Open Redirection Tests
  • File upload tests(command execution,stored xss,DoS)
  • LDAP Incjection tests
  • XML injection tests
  • Xml External Entity(XXE) tests
  • Buffer over flow tests
  • Login bypass,DoS via Long payload usage
  • HTTP Response Splitting tests(XSS PoC)
  • HTTP Parameter Pollution Tests(Bypass WAF PoC)
  • Iframe Injection tests
  • LFI via Iframe injections
  • XSS tests via drag-drop
  • XSS tests via filen names of uploaded files
  • Try to discover technical web vulnerabilities via Google dorks
  • Signup Function Tests(takeover account,XSS,SQL or many business logic bugs)
  • Code execution via uploadable excel files
  • Try to discover advenced injection points via FUZZing(wfuzz)
  • Try to enforce the targets to get sensitive informations via error messages
  • Vulnerabilities on the webserver versions
  • Try to determine remotely the encrytion sitiuations of the passwords on the target database.
  • SWF,JAR files decompiling tests If we have on the targets
  • Code execution via SMTP/IMAP
  • Spesific wordlist creation (crunch,cewl)
  • Phpmyadmin Vulnerabilities(Directory listing,bruteforce,XSS etc)
  • Code execution via Phpmyadmin with mysql into outfile function
  • URL Poisioning Tests
  • Try to use bypassing methos for all technical vulnerabilities
  • DoS via Code Injection
  • Default or predictable password usage tests
  • Post-exploitation via accessed systems(tomcat,wordpress etc)
  • Clickjacking Vulnerability Tests on the important function of the targets
  • Full Automate scan all websites

If you would like to find out how Web Penetration Testing Service can be beneficial for your company or more information about our service, please contact our security experts to get a free quick consultation.