This blog post is the first in a series of posts about the world of web app penetration testing. What you are reading now is but an introduction aiming to introduce the aspiring pentester to essential knowledge and tools. Although further articles addressed to more experienced pentesters will follow, this series should be used as a quick reference and by no means is to be used as a substitute of a formal classroom environment, and most importantly hands-on experience.

Below are listed the phases we are going to describe: 

– Phase 1: Planning

– Phase 2: Scoping

– Phase 2: Assessing Stages

– Phase 3: Exploitation 

Phase 1: Planning

First, we have to identify the type of the test we are going to perform; in plain English, what we are aiming for. Then we model all our actions.

 According to the aforementioned these are our options:

  1. Web Penetration Testing (Includes Proof of Concept, not good for production systems).
  1. Vulnerability Assessment (Does not include Proof of Concept, does cover important issues).

Note: The difference between a vulnerability assessment and a web application penetration test is that in penetration testing we provide proof of concept, meaning actually penetrating the company web applications and extracting costumers valuable data. While vulnerability assessment is only assessing security without actually penetrating the Web application.

Phase 2: Scoping

When we have planned our web pentest and identified the goals, then we can proceed with scoping. e.g. are we going to restrict our testing to only one domain? Do we want to exploit certain functionality? Are we interested in coverage? etc.

The following steps would have to be followed in order to scope the target: 

– Define Web Application Attack Surface

– Identify the scoped URL(s)

– Identify the scoped functionality 

Phase 2: Assessing Stages

A Web Application penetration test has significant differences compared to a network penetration test, with varying levels of complexity. Below are the stages you should follow to pen test a web application:

  1. Map Web Application
  2. Identify functionality and technologies used

Map Web Application

When mapping a Web Application, we usually go through the following steps:

  1. Exploring visible content (e.g. all linked content)
  2. Exploring non-visible content (e.g. all non-linked content)

Exploring visible content 

When performing exploration of the visible consent we are simply browsing through the application and record the identified links. This can be achieved with the following tools:

  1. [Burp Suite Professional Web Proxy]
  2. [Burp Suite Free Edition Web Proxy]
  3. [ZAP Web Proxy]

For the more advanced amongst you this can also be achieved using a programming language such as python or Go. For more information see the following web crawlers:

  1. [Scrapy] (written in Python)
  2. [Colly] (written in Go) 

Exploring non-visible content 

By using the term exploring non-visible content we mean all default, dynamic and non-linked content. How? Simply by using a technique named forced browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.

Open Web Application Security Project (OWASP) has a very well written guide on how to perform forced browsing [here] 

The tools we can use for this purpose are as follow: 

  1. [Burp Suite Professional Web Proxy]
  2. [Burp Suite Free Edition Web Proxy] (Content discovery plug-in)
  3. [ZAP Web Proxy] (Content discovery plug-in)
  4. [DirBuster]
  5. [dirsearch]

Identifying Functionality and Technologies Used 

The functionality we usually focus on when performing a Web App test includes  but is not limited to the following generic functions: 

  1. Login/Logout functions

                – Password ageing

                – Password recovery

                – Password expiration

                – Password reset

                – Password lockout mechanism

  1. Data submission functions

                – Data form submission sanitization

  1. Session creation

                – Randomness

                – Session length

  1. Session termination

                – Soft timeouts

                – Hard timeouts

                – Idle timeouts

  1. Third party cross domain referenced code functionality
  1. Privilege management

                – Assess privilege handling

Phase 3: Exploitation

Web Application exploitation should take into consideration if it is a production system, the goals of the Web Application penetration test and the amount of time to be dedicated to exploitation effort. But first we would have to identify the exposed components of the web application that can be PoC’ed.

The following sections focus on these elements. 

Exploiting Authentication Mechanisms

 Go through the whole authentication mechanism:

– Test password and username security policies

– Test lock out mechanisms

– Run an online login brute force attack

– Perform user enumeration using the responses from the server

– Test for auto generated credentials predictability

– Test for unsafe credential transmission

– Test Session Management Mechanism


The proposed OWASP Top 10 testing guide references for authentication validation are:

– Testing for Session Management Schema (OWASP-SM-001)

– Testing for Cookies attributes (OWASP-SM-002)

– Testing for Session Fixation (OWASP-SM-003)

– Testing for Exposed Session Variables (OWASP-SM-004)


Exploiting Account Access Controls

 As a basic test look for broken links after mapping all type user content (e.g. access variables with high user account privileges simply by guessing URL ID’s).

 More specifically look for:

– Testing for bypassing authorization schema (OWASP-AZ-002)

– Testing for Privilege Escalation (OWASP-AZ-003)

– Business Logic Testing (OWASP-BL-001)

– Testing for Cross Site Request Forgery (OWASP-SM-005) 

Exploiting Input Based Vulnerabilities

 Input validation has to do with how the user supplied input is handled by the target application, the most basic types of validation, can be summarised in the following type of attacks:

– SQL Injections

– Cross Site Scripting Attacks

– Cross Request Forgery Attacks

– XML Injections

The proposed OWASP Top 10 testing guide references for input validation are:

– Testing for Reflected Cross Site Scripting (OWASP-DV-001)

– Testing for Stored Cross Site Scripting (OWASP-DV-002)

– Testing for DOM based Cross Site Scripting (OWASP-DV-003)

– Testing for Cross Site Flashing (OWASP-DV-004)

– Testing for SQL Injection (OWASP-DV-005)

– Testing for Cross Site Request Forgery (CSRF) (OWASP-SM-005)

– Testing for path traversal (OWASP-AZ-001)

This concludes the first blogpost in this Penetration Testing series. More articles that will delve a bit deeper in the art of Penetration Testing and the resources needed to perform it will follow in due time.


Share This

Share this post with your friends!