How to Prepare for Your Web Application Penetration Test
So, you’re investing in cybersecurity and are having a web application penetration test performed. No matter your reasons for doing so—whether you’re satisfying compliance requirements, a customer request, internally assessing your flagship service offering or confirming security policies—this is a great step towards strengthening your defenses.
But now that you’ve decided to move forward, it’s time to dig in and prepare. If you’re not sure where to start or what’s involved, don’t worry. Our very experienced team of penetration testers has performed over 200 assessments in just the last year, those specific to web applications among them. In this article, we’ll reiterate what a web application penetration test is, its objectives, and the information you’ll gain after performing one. We’ll also provide a list of items to prepare for your chosen penetration testers ahead of your assessment.
That way, you’ll be able to streamline your process more easily and reach the end—and the results regarding your vulnerabilities—that much quicker.
What Is a Web Application Penetration Test?
Definition |
The simulation of an attack on either an external or internal web application in an attempt to gain access to sensitive data and determine whether the application is secure. |
---|---|
Objective |
To identify and exploit vulnerabilities within the application and its components (e.g., source code, database, back-end network) that apply to OWASP Flagship Projects, such as the OWASP Top 10, Application Security Verification Standard (ASVS), and Web Security Testing Guide (WSTG). |
How Does It Work? |
After performing reconnaissance and identifying flaws in authentication, access controls, database interaction, and application logic, among others, your Pen Test Team will attempt to exploit these vulnerabilities. **If you’re working with Schellman, our team will also seek to concentrate different vulnerabilities together to chain together more complex and higher severity attacks. |
What You’ll Learn |
After this essential health check of your web application, you’ll understand:
|
An Important Note for Organizations Working with Schellman: We do not perform Distributed Denial of Service (DDoS) attacks to test the availability of a service. While we may discover vulnerabilities that result in likely Denial of Service (DoS) conditions, typically these are verified as much as possible but will not be exploited. Only manually verified findings will be included in our final report, and there will be no false positives.
5 Things to Provide for a Web Application Penetration Test
To facilitate all this, your Pen Test Team will need several things before they can get started with their attempted breach of your web application. Here’s a list of items you’ll need to prepare to either provide or do to ensure smooth sailing through the process:
- Two Tenants Within the Application
Consider this like onboarding two new customers—you’d most likely provide them each their own environment (or tenant) within your application.
- Why Does Your Pen Test Team Need This? Having access to two test tenants allows us to test for horizontal privilege escalation, which basically means checking to see if customer 1 can somehow get to customer 2’s data when that shouldn’t be possible.
- Why Does Your Pen Test Team Need This? Having access to two test tenants allows us to test for horizontal privilege escalation, which basically means checking to see if customer 1 can somehow get to customer 2’s data when that shouldn’t be possible.
- Credentials
Within each tenant, you’ll also need to provide credentials for both an administrator (or higher-privileged role) and a standard user (or lower-privileged role). At Schellman, we start testing with the highest and lowest level you would provide a client, and—if there are other different privilege roles available—we’ll add more users throughout the process.
- Why Does Your Pen Test Team Need This? We perform every web application assessment from an authenticated posture. Having two users with different roles allows us to test for vertical privilege escalation methods, which is to say, can a non-admin user access data or features only an admin should be able to use or see?
- Why Does Your Pen Test Team Need This? We perform every web application assessment from an authenticated posture. Having two users with different roles allows us to test for vertical privilege escalation methods, which is to say, can a non-admin user access data or features only an admin should be able to use or see?
- Lower External Application Security Controls.
You’ll need to allow traffic through any technical security controls that could impact testing, including any web application firewall (WAF) in place.
- Why Does Your Pen Test Team Need This? Penetration tests are performed within a designated window, which means the Pen Test Team only has a limited amount of time to get through the work. That time would be better spent identifying as many vulnerabilities as possible so that you gain the most value, and allowing us to more quickly interact directly with the application helps with that. Lowing the WAF will help us—and you—best understand and fix the real issues.
- Why Does Your Pen Test Team Need This? Penetration tests are performed within a designated window, which means the Pen Test Team only has a limited amount of time to get through the work. That time would be better spent identifying as many vulnerabilities as possible so that you gain the most value, and allowing us to more quickly interact directly with the application helps with that. Lowing the WAF will help us—and you—best understand and fix the real issues.
- Perform an Application Demo
This should only take a 30-minute call to go over the main features or use of the application with your Pen Test Team. This call will be recorded and referenced when the actual test begins.
- Why Does Your Pen Test Team Need This? To efficiently attack the application, we first must understand how it is meant to be used. Understanding your specific business risk is a vital part of all our assessments.
- Why Does Your Pen Test Team Need This? To efficiently attack the application, we first must understand how it is meant to be used. Understanding your specific business risk is a vital part of all our assessments.
- Sample Data
Populate the application with as much user data as possible. If you’re not sure where to start with this, you might consider leveraging data from a demo environment that you usually use to demonstrate your application to a customer.
- Why Does Your Pen Test Team Need This? An application prepopulated with sample data allows us to hit the ground running with a better understanding of how important features are used. We’ll still go through the process of creating our own test data, but your provided sample data lets us spend more time focusing on identifying vulnerabilities.
- Why Does Your Pen Test Team Need This? An application prepopulated with sample data allows us to hit the ground running with a better understanding of how important features are used. We’ll still go through the process of creating our own test data, but your provided sample data lets us spend more time focusing on identifying vulnerabilities.
Other Tips for Your Web Application Penetration Test
In addition to these steps and information provided, you should also tell your security operation center (SOC) or internal Blue Team that a web application pen test is scheduled and provide them with any public IP address ranges to be used by the Pen Test Team. (Schellman specifies these in our authorization letter.) They’re not trying to be stealthy or stay undetected—your Pen Test Team is only concerned with highlighting as many manually verified issues and providing actionable feedback within the limited timeframe available.
Taking all these steps should help you make the most of said limited time frame, as will taking some of these. If you’re also considering other penetration tests to evaluate your cybersecurity, check out our other content that will break down some key aspects:
- What Does a Penetration Test Cost? Scope Factors That Matter
- What is an External Network Penetration Test?
- How to Prepare for Your Internal Network Pen Test
If you find you still have any pressing concerns or questions regarding the intricacies of penetration testing—or if you’re interested in engaging the Schellman team to perform one—contact us today.
About Josh Tomkiel
Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.