Penetration Testing, also known as pen test or pen testing, is a process to identify, exploit, and report vulnerabilities. These vulnerabilities can exist in any system including applications, services, or operating systems.
With respect to business-critical applications, both automated and manual penetration testing is critical to ensure that major business operations are not breached or affected by attacks.
According to the HPE Cyber Risk Report 2016, 90% of applications had at least one vulnerability that hackers could exploit.
Today, online businesses use automated and manual penetration testing to uncover vulnerabilities in their critical application systems (backend/frontend servers, APIs, etc.). You can start by finding the common OWASP vulnerabilities with AppTrana Free Website Security Scan.
Application Penetration Testing Methodology
Before initiating pen testing, ethical hackers or “pen testers” gather all the information about applications. This introductory step is called ‘Reconnaissance’ and is actively used by hackers to choose easy targets.
Passive Reconnaissance: Ethical hackers use a combination of tools and research about the application. Every piece of information is handy. Information on DNS, WHOIS databases, and web server type provide preliminary information on how a tester should carry out the attack.
Active Reconnaissance: Once a penetration tester or hacker has all the basic information about the target applications, he moves to the next stage by sending packets to the target system. This can be a manual or automated task to look for vulnerabilities, firewalls, and DDoS protection tools. Here are some of the popular tools for hackers.
Attackers no longer target OWASP Top 10 vulnerabilities; they look beyond the usual vulnerabilities and dig into the logic of the application to uncover business-specific loopholes.
The following are examples of business logic flaws that automated tools would miss.
-An e-commerce site allows users to add items to cart, view a summary page and then pay. What if they could go back to the summary page, maintaining their same valid session and inject a lower cost for an item and complete the payment transaction?
-Can a user hold an item infinitely in the shopping cart and keep others from purchasing it?
-Can a user lock an item in a shopping cart at a discounted price and purchase it after several months?
-What if a user books an item through a loyalty account and gets loyalty points but cancels before the transaction could be completed?
Penetration testers consider all the business processes and application logic that can be used to exploit weaknesses within the application.
When it comes to frequent testing, nothing can beat the software and tools that look for weaknesses daily or scheduled basis. Automation is a huge part of the penetration testing process, especially when there are frequent changes in the application.
The process includes configuring security testing tools based on inputs from the previous two steps. Data is fed into the testing tools to look for vulnerabilities on authenticated and open application services.
No matter how intelligent an automated tool is, it will still miss some of the vulnerabilities. According to OWASP, every application has a different business process, and application-specific logic can be manipulated in an infinite number of ways. Not all issues can be found through automation.
Vulnerabilities like business logic flaws and authorization issues will always require human expertise. An ethical hacker or pentester (with a team of hackers/testers) spends hours looking for weaknesses that can compromise the application’s function.
Once the automated and manual penetration testing is complete, simply publishing the findings is not enough. Most internet businesses want to understand the flaw, its cause, and its business impact. Any organization wishing to protect its applications from an attack should invest in getting accurate, quantifiable, and solvable results.
An ideal pen testing report should contain the:
Cybercrime damages will cost $6 trillion annually by 2021, with an average cost of a breach crossing $7 million in the US this year. It is rudimentary to have an application security program in place that can identify and fix security loopholes before the hackers exploit them.
Indusface helps global online businesses to manage their application security programs efficiently. Our penetration testing process is backed with instant web application firewall protection through AppTrana that covers OWASP Top 10, SANS Top 25, and business logic vulnerabilities.
You can start with the AppTrana Free Forever Website Security Scan to find out how it works.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.