WEB APPLICATION PENETRATION TESTING

Our approach consists of about 80% manual testing and about 20% automated testing – actual results may vary slightly. While automated testing enables efficiency, it is effective in providing efficiency only during the initial phases of a penetration test. At Khanna Security, it is our belief that an effective and comprehensive penetration test can only be realized through rigorous manual testing techniques.

In order to perform a comprehensive real-world assessment, Khanna Security utilizes commercial tools, internally developed tools and the same tools that hacker use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.

We consider the reporting phase to mark the beginning of our relationship. Khanna Security strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverable. We provide clients with an remediation knowledge resources, dedicated remediation staff and ticketing system to close the ever important gap in the remediation process following the reporting phase.

Simply put, our objective is to help fix vulnerabilities, not just find them. As a result, remediation re-testing is always provided at no additional cost.

The first phase in a web application penetration test is focused on collecting as much information as possible about a target application. Reconnaissance, aka Information Gathering, is one of the most critical steps of a web app pen test. This is done through the use of public tools (search engines), scanners, sending simple HTTP requests, or specially crafted requests. As a result, it is possible to force the application to leak information, e.g., disclosing error messages or revealing the versions and technologies used.

Example tests include: Error Code Analysis, Fuzzing, Search Engine Recon, App Enumeration and App Fingerprinting

Comprehending the deployed configuration of the server/infrastructure hosting the web application is nearly as critical as the application security testing itself. After all, an application chain is only as strong as its weakest link. Application platforms are wide and varied, but some key platform configuration errors can compromise the application in the same way an unsecured application can compromise the server (insecure HTTP methods, old/backup files).

Example testing includes: TLS Security, Database Listeners, File Extension Handling and Cross-Site Tracing

Authentication is the process of attempting to verify the digital identity of the sender of a communication. The most common example of such a process is the log-on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.

Example testing includes: Brute Force Testing, User Enumeration, Transport Layer Security

The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross-site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.

Example tests include Cross-Site Scripting, SQL Injection, OS Commanding, and Server Side Injection.

A denial of service (DoS) attack is an attempt to make a resource unavailable to its legitimate users. Traditionally, denial of service (DoS) attacks have been network-based: a malicious user floods a target machine with enough traffic to make it incapable of servicing its intended users. There are, however, types of vulnerabilities at the application level that can allow a malicious user to make certain functions unavailable. These problems are caused by bugs in the application and often are triggered by malicious or unexpected user input. This phase of testing will focus on application layer attacks against availability that can be launched by just one malicious user on a single machine.

Not all clients have an appetite for DoS testing, therefore it may not always be a component of each and every penetration test.

Web services have certain elements of exposure just like any other protocol or service. What’s different is that they can be used on HTTP, FTP, SMTP, or MQ among other transport protocols. As a result, vulnerabilities in web services are similar to other vulnerabilities, such as SQL injection, information disclosure, and leakage, but web services also have unique XML/parser-related vulnerabilities.

Example tests include: Information Gathering, Fuzzing, and Replay Testing

Some of the key components to our web application penetration test deliverable include, but are not limited to:

• Scope
• Control Framework (ie: OWASP, PCI, PTES, OSSTMM)
• Timeline
• Executive Summary Narrative
• Technical Summary Narrative
• Report Summary Graphs
• Summary of Findings
• Findings (Description, Business Impact, Recommendation, Evidence, References, CVSS, Risk Rating Calculation)
• Methodology and Approach
• Risk Rating Factors
• Tools used
• Recommendations