Webapp Pentest Methodology
Our web application penetration test service utilizes a risk-based approach to manually identify critical application-centric security flaws in all in-scope applications. Our web application penetration test combines the results from industry-leading scanning tools with manual testing to enumerate and validate vulnerabilities, configuration errors, and business logic flaws. In-depth manual application testing enables us to find what scanners often miss.
Using this approach, we ensure a comprehensive webapp pentest that covers the classes of vulnerabilities outlined in the Open Web Application Security Project (OWASP) Top 10 and beyond:
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
Our web app penetration testing methodology is a consistent process based on industry-standard practices used for each and every internal and external web application penetration test we perform. Experience has shown our clients and us that our proven web application pentesting methodology works.
The information-gathering phase consists of Google search engine reconnaissance, server fingerprinting, application enumeration, and more. Information gathering efforts result in a compiled list of metadata and raw output to obtain as much information about the application’s makeup as possible. Reconnaissance includes web application footprinting, metafile leakage review, service enumeration, and operating system and application fingerprinting. The purpose of this step is to map the in-scope application and prepare for threat identification collectively.
During the Information Gathering phase, our penetration test team will:
Use discovery tools to passively uncover information about the application
Identify entry points into the application, such as administration portals or backdoors
Perform application fingerprinting to identify the underlying development language and components
Send fuzzing requests to be used in the analysis of error codes that may disclose valuable information that could be used to launch a more targeted cyber attack
Actively scan for open services and develop a test plan for the latter phases in the security assessment
Through testing, Hedgehog Security’s penetration test team actively try to force your web apps to leak information, disclose error messages that can be exploited, or reveal versions and technologies used.
With the information collected from the previous step, the testing process transitions to identifying security issues in the application. This typically begins with automated scans initially but quickly morphs into multiple manual testing techniques using more pointed and direct tools. During the threat modeling step, assets are identified and categorized into threat categories. These may involve sensitive information, trade secrets, financial documents, etc.
During this phase, our pentest team will:
Use open source, commercial, and internally developed tools to identify and confirm well-known vulnerabilities.
Spider the in-scope application(s) to effectively build a map of each of the features, components, and areas of interest
Use discovered sections, features, and capabilities to establish threat categories to be used for more manual/rigorous testing (i.e., file uploads, admin backdoors, web services, editors)
Send fuzzing requests to be used to analyze error codes that may disclose valuable information that could be used to launch a more targeted attack.
Build the application’s threat model using the information gathered in this and the previous phase to be used as a plan of attack for later phases of the penetration test
Upload vulnerability information to the customer portal for those vulnerabilities that exist but will not be exploited due to time constraints or risk to devices.
The vulnerability analysis step involves documenting and analyzing vulnerabilities discovered due to Information Gathering and Threat Modeling. This includes the analysis of output from the various security tools and manual testing techniques.
During the Vulnerability Analysis phase, our penetration testers will:
Compile the list of areas of interest and develop a plan for exploitation
Search and gather known exploits from various sources
Analyze the impact and likelihood for each potentially exploitable vulnerability
Select the best methods and tools for properly exploiting each of the suspected exploitable vulnerabilities
Unlike a vulnerability assessment (which is a low cost commodity service and only ever uses automated vulnerability scanning tools), a penetration test takes the additional step of exploitation. Exploitation involves establishing access to the application or connected components by bypassing security controls and exploiting vulnerabilities to determine their real-world risk. Throughout this step, we perform several manual tests simulating real-world exploits incapable of being performed through automated means. During a webapp pentest , the exploitation phase consists of heavy manual testing tactics and is often the most time-intensive phase.
As part of the Exploitation phase, the Hedgehog Security team will:
Attempt to manually exploit the vulnerabilities identified in the previous phases to determine the level of risk and level of exploitation possible
Capture and log evidence to provide proof of exploitation (images, screenshots, configs, etc.)
Notify the client of any Critical findings upon discovery
Upload validated exploits and their corresponding evidence/information to the project portal for client review
The reporting step is intended to compile, document, and risk rate findings and generate a clear and actionable report, complete with evidence, for the project stakeholders. The report will be delivered through the customer portal. If a customer requests, a presentation of findings will occur via an online meeting.
During this phase, our pentest team will perform the following:
Ensure all findings have been uploaded to the project portal for client review
Create the web application penetration test report, along with evidence. This will go through an internal review process that then is uploaded to the client portal for review
Additional meetings may take place to ensure the client understands the findings and recommendations for mitigation or remediation