Getting Started with Web App Testing

author: Melissa Bruno

Getting Started with Web Application Penetration Testing

Introduction

Web application penetration tests (aka web app pentests) focus on identifying and exploiting vulnerabilities affecting web applications. Most web app pentests at BHIS are scoped so that one web application will be tested over a period of five business days, but depending on the size of the in-scope application(s), the testing period may be longer or shorter.

Web app pentests may be performed with or without authentication, with the former being more commonly requested. Credentials are provided by the client to the tester prior to the start of the engagement. Whenever possible, clients should provide two sets of credentials and a description for each user privilege level (standard, admin, etc.), so that the access controls between privilege levels can be tested.

Protective capabilities such as web application firewalls (WAFs) may sit in front of a web app and block requests that it deems to be potentially malicious, such as requests containing cross-site scripting or SQL injection payloads. Testers should work with clients to ensure that IP addresses used for testing are added to the WAF’s allow list. Some clients may decline to do this, but it should be strongly encouraged so that the web application itself is tested.

Testers may be asked to test a web application’s testing, staging, or production environment. Testing a staging environment that closely mimics production is ideal. Extra precautions should be taken (throttle scans, err on the side of caution if you think something might break, keep a close eye out for a sudden increase in errors during scans) when testing production environments, as any downtime caused by testing can be costly for the client.

Identifying Common Vulnerabilities

All new web application penetration testers should familiarize themselves with the OWASP Top 10, which describes the ten most common security vulnerabilities affecting web applications. The issues described in this list should be checked for during every test. Due to their prevalence, you are likely to find multiple issues described in the OWASP Top 10 per web application assessment.

Testers should also familiarize themselves which each of the web application findings in the BHIS Report Findings Tool, as many of these findings are commonly encountered during testing.

Review the Web App Checklist from WAHH for a comprehensive list of issues to look for during a test.

Honing Your Testing Skills

Resources Specific to BHIS Employees

The Web App section of the Good Reports folder has examples of well-written and technically strong reports. Reviewing all of these will provide a good idea of how to effective perform web app tests at BHIS.

The Web App and API channel on Microsoft Teams is a good resource for reaching out with questions and problems related to web app testing.

General Web App Testing Resources

PortSwigger’s Web Security Academy is a great free resource which focuses on using Burp Suite to identify vulnerabilities.

The online, 16-hour training course Modern WebApp Pentesting w/ BB King is offered by BHIS’s sister company Antisyphon and can be taken for free by BHIS employees. The course is developed and taught by a BHIS employee, BB King, making the content especially relevant to BHIS testers.

The BHIS Blog’s Web App tag has useful blog posts written by BHIS employees.

Tools

• Burp Suite: Official Site General Usage of Burp Suite The bread and butter of web application penetration testing.
• Nikto: Official Site Open source web application vulnerability scanner.
• Nmap: Official Site Identify which ports are open, which banners are in use, and other useful information about web application servers.
• GraphQL Injection: Official Site A GitHub repository containing a list of tools and techniques for testing web applications that use GraphQL.
• More GraphQL (unvetted):
  • https://graphql.org/learn/
  • https://www.apollographql.com/docs/react/
  • https://github.com/APIs-guru/graphql-voyager
  • https://github.com/graphql/graphiql
  • https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
  • https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
  • https://github.com/righettod/poc-graphql
  • https://github.com/0ang3el/EasyCSRF
• Security Headers: Official Site Web-based scanner that quickly checks for the presence of important security headers.
• Snyk.io Open Source Vulnerability Database: Official Site Quickly search for vulnerabilities affecting specific versions of components. Plug the technologies and versions identified by Wappalyzer into the search field here.
• Wappalyzer: Official Site Quickly identify which technologies are in use on a web application. Shows the version numbers whenever possible, which helps with identifying vulnerable and outdated components.