Web Application Penetration Testing
What is a Web Application Penetration Test?
Companies commonly use web-based applications to reach their business goals online. However, web-based applications are the most targeted assets by cyber criminals who want access to the sensitive data of the organizations, customers, and employees they target. According to SANS Institute, web applications account for more than 60% of targets in cyber-attack attempts.
A web application penetration test involves cyber-security professionals conducting a manual cyber security risk assessment using the Open Web Application Security Project (OWASP) methodology. These attacks are performed to gain unauthorized access to web-based systems until sensitive data is compromised, causing a loss of confidentiality and integrity of data.
Why Perform Web Application Penetration Tests?
A web application penetration test helps determine an entire web application’s security posture. It includes its infrastructure, databases, backend network, etc., and suggests ways to improve its security. Here are the five most common objectives for performing web application penetration tests:
Examples of Common Web Application Cyber Attacks:
- Injection Flaws – An attacker injects commands passing unfiltered data to the SQL server (SQL injection), to the LDAP server (LDAP injection), or anywhere else, resulting in access to confidential data or deleting it.
- Broken Authentication – An attacker gains unauthorized access to the system and compromises confidential data by stealing passwords, keys, or session tokens.
- Security Misconfiguration – Unpatched flaws, unused pages, unprotected files or directories, outdated software, and running software in debug mode can allow attackers to leverage cyber-attacks and access confidential information.
- Business Logic Bypass – An attack manipulates legitimate functionalities in the application to elicit unintended behavior and achieve malicious goals. These flaws are generally caused by not anticipating unusual situations and not handling them safely.
- Cross-Site Scripting (XSS) – An attacker injects malicious code into benign sites to attack a user’s web browser. An attacker will insert the code through a link and, together with social engineering, will lure the user into clicking the link and executing the code.
- Insecure Direct Object References (IDOR) – An attacker can manipulate a parameter that allows him to access database items belonging to other users. For instance, the reference to a database object is exposed in the URL.
- Path Traversal and Directory Traversal – An attacker manipulates the applications into allowing access to server files where all the information within a system rests. Accessed data can include user credentials, access tokens, and even entire system backups.