Web applications have replaced the use of desktop applications for many organizations. This change has allowed organizations to simplify users interactions with applications. It also reduces the efforts required by information technology teams as applications are maintained centrally and no longer distributed across workstations. Moving business processes to web applications typically consists of using commercial off-the-shelf software (COTS) or converting a desktop application into a web application.
Often an organization's web application has unique processes specific to their industry or to the organization itself. At first glance, it may not be easy to see why an application should be tested when it does not contain personally identifiable information (PII) or financial data.
Why should a company have its web application tested?
Code Changes Regularly – Developers have adopted an agile approach to code changes, and a web application's underlying code may have experienced multiple changes within the last month. Changes that only take seconds to make can have big ramifications on the security posture of a web application.
Resilience – While unauthorized access to an organization's data may not mean the loss of PII or financial theft, downtime due to incident response or a cybercriminal intentionally deleting or modifying data can still be costly.
Penetration Testers Think Differently – Penetration Testers think about how applications work differently than developers. A developer's primary goal when creating a web application is to ensure it is designed to meet the needs of users. A Penetration Tester will search for vulnerabilities built in to a web application with the goal of finding ways to disrupt or compromise the organization.
Web Application Compromise Leads to Network Compromise – Recently, the Penetration Testing team at Elliott Davis tested a web application for a client. The team identified a vulnerability in the web application to not only take over the application itself, but also gain access to the underlying operating system. This kind of exploitation in the right environment can lead to the compromise of an entire network.
We have performed numerous web application tests for organizations of various sizes, and approach testing in four phases:
Information Gathering –OpenSource Intelligence (OSINT) gathering techniques are used to gather information about the application, the web technologies that were used to create the application, as well as the hosted web server.
Manual Mapping –The Penetration Testing team tests the application in both an unauthenticated and authenticated manner. Testing in such manner allows an initial mapping of the application to be completed which is then tested with automated scanners in phase three.
Automated Scanning –Automated scanning is performed using industry-leading tools, such as Burp Suite®, to search for web application vulnerabilities as highlighted by the Open Web Application Security Project (OWASP) Top Ten. The OWASP Top Ten is a list of the most common security vulnerabilities in web applications today which are actively exploited the most by attackers and have a significant impact on targeted organizations.
Manual Review – During the final phase, additional manual testing is completed based on the vulnerability scan results, as well as additional information noted by the assessment team. During this phase, our team attempts to exploit identified vulnerabilities to assess the true risk associated with the issues.
No matter your company’s business model or size, our Penetration Testing team can help assess your risk posture and leverage industry-standard penetration techniques to assist you with securing your web application. Our goal is to help organizations identify issues and assist with remediation before cybercriminals attempt a compromise. For more information on web application penetration testing for your organization, contact a member of the Elliott Davis Penetration Testing team.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
