Web Application Pentest
Phases of Web Penetration Testing
We follow an industry-standard methodology primarily based on the OWASP Application
Security Verification Standard (ASVS) and Testing Guide.
Our methodology involves the following 7 key penetration testing stages:
Based on the Pentest Brief prepared by the client, pen-testers search for necessary information about the targets and investigate the scope.
Information gathered during this stage includes web application URLs, understanding of application logic, and assigned business criticalities.
Pentesters then confirm that the targets can be reached and scanned and that they function properly.
During this phase, pen-testers manually examine the target applications to map business functions, workflows, and underlying processes.
They also build a matrix of the access controls within the app based on the types of roles and actions the apps support for each.
Testers then use this matrix to plan further security testing that determines how well
these controls are enforced, or in what ways testers can bypass them.
BitCore’s pen-testers use both commercial and freeware security tools to assess the targeted application.
During this phase, we ensure that scanning covers the whole scope of the application and that every segment is assessed for security issues.
This means that testers will make manual changes as necessary to ensure optimized scanner performance.
Additionally, testers perform automated crawls to determine which pages are available to unauthenticated users, and to determine the full site tree.
Pentesters perform automated web application crawling and then manually verify the results.
Testers also conduct additional manual crawling to ensure better coverage, including
authentication to protected application areas.
Using automated scanning, testers assess the application using the authenticated sessions where applicable.
Pentesters perform this testing with extreme caution to ensure minimum impact on the targeted system.
BitCore pen-testers then use tool-assisted manual testing to identify and analyze the target’s functionality, business logic, and deployment for vulnerabilities.
The assessment identifies published vulnerabilities, such as those cataloged in the OWASP Top 10 or racked by CVE entries . These tests also take the target’s workflows and business logic into consideration to identify vulnerabilities within the implementation.
The assessment includes tests for different vulnerabilities, such as injection attacks that probe the robustness of server-validation routines, session management flaws that could allow user impersonation, and flaws in access control that expose data or enable users to gain elevated privileges.
If microservices are in use, testers place a specific focus on the interactions between different systems.
We thoroughly examine the access control management and the Cross-Origin Resource Sharing (CORS) implementation, in addition to the vulnerabilities outlined in the OWASP API Security Project.
For each finding, pen-testers determine the issue’s risk by demonstrating how it could be exploited and evaluating its impact within the context of the target’s business function, data, and users.
This Proof-of-Concept exploitation is done in a manner that demonstrates the presence of the vulnerability while minimizing potential adverse impact on the application, its data, and its underlying systems.
Pentesters can report all findings in real-time through preferred communication channels such as Slack, assess its risks accordingly, and recommend remediation steps. Each pentester assists and elaborates where necessary regarding their findings.
Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pen-testers through the preferred communication channel. Clients have full visibility over discoveries in real time.
In the findings and final report, pen-testers provide detailed remediation steps and advice on further improvements of the security posture.
The client can perform remediation efforts on critical discoveries during and after the testing timeframe and pen-testers can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.