Application Penetration Testing
Application penetration testing is a process to identify security vulnerabilities through a wide range of simulated attacks. In this process, a security engineer assumes the role of real application users and attempts to gain access to unauthorized data, escalate privileges, and undermine the business integrity of the application. The execution of these attacks are often deeply technical, but also require a strong creative ability; this process is where art and science truly come together to provide one of the most critical phases of application security.
Applications are unique, complex, and use many technologies requiring special security consideration. Although online applications share a number of common threats, many of the most severe vulnerabilities are unique to each application and can only be discovered via manual efforts.
Modern application penetration tests must not only account for standard application attacks, but how those attacks apply to the technology in use. Most importantly, our testing analyzes relationships between components. This aims to identify the most complex vulnerabilities which may exist as a result of a chain of weaknesses or behavior.
Because of the vast number of technologies and security implications of each, application penetration testing requires extensive experience and research. Our team was built to exclusively focus on web application security.
- Standard application attacks. – XSS, SQL Injection, CSRF
- Special technology – Angular security, AWS Misconfiguration
- Component relationships – Insecure 3rd party integration
- Insecure behaviour – Bypass of critical business logic
Our assessments are heavily guided by the business purpose and technology within each application. Because of this, the type of testing done on each application extends well beyond any checklist or methodology.
Review Application Purpose and Business Logic.
Before testing begins, an engineer will review the business purpose and workflows for the application in scope. “Use cases” are documented and used to develop “abuse cases”. These abuse cases are used to develop logical attacks which may directly manipulate the application in unintended ways. This is one of the most important and most often neglected areas in application security. The result of this phase is a threat model that serves as a blueprint for attacks performed in subsequent phases.
Application Stack Analysis
An analysis of the application stack is as important as the application code itself. Frameworks and libraries can be directly affected by their own vulnerabilities as well as introduce indirect abuse cases. Relationships are everything, and software components are no different. Functionality provided by frameworks can affect other components in unexpected and sometimes dangerous ways. An in depth and creative manual assessment is the only way to piece together this complex puzzle and identify more advanced vulnerabilities.
Obtaining sensitive information is a key goal of penetration testing; small pieces of even mildly sensitive information can often be used to create or fine-tune more sophisticated attacks. There are many common practice ways to identify such information.
- Reviewing code comments, server response headers, and metadata contained in the application.
- Enumerating HTTP verbs and attempting to induce common server error messages and pages.
- Discovery of hidden content, functionality, and components that may reveal sensitive information.
This phase attempts to obtain any sensitive information which may reveal backend architecture or server configuration. This phase is mostly passive and evaluates data sent by the server which is not visible to users via a normal web browser. The following are examples of testing performed during this phase of testing:
Authentication and Session Management Review
This phase assesses the strength of authenticating controls and session handling. Abuse of this functionality often leads to a complete account compromise. While many attacks are well documented and commonly understood, it is easy for custom built authenticating controls to suffer from unique logical weaknesses. Because of this, a manual review is critical for these functions. This testing looks for weaknesses on login pages, password change functions, and forgotten password functionality.
Session handling is also analyzed in this phase; the strength, randomness, and expiration of tokens are key items which may yield vulnerabilities to an application. Ensuring that a user cannot predict or steal session tokens is a critical aspect of web application security.
Applications using authenticated access are subject to extensive testing of user privileges. Abuse of privileges may include the following scenarios:
- A user obtaining access to another user’s data.
- A user performing an operation on behalf of another user.
- A user forcing another user to unwillingly perform an operation.
- A user elevating privileges to gain unauthorized access.
Input validation is a key principle of web application security. Many types of vulnerabilities are a direct result of improper encoding, filtering, or data handling. These attacks range from Cross-site Scripting, where malicious users can hijack another user’s session, to SQL injection, where malicious users can gain complete control of the server. During an assessment Virtue consultants identify all areas of an application which accept and process input from users. These areas, often referred to as parameters, are modified in attempt to alter the application in malicious ways.
Below are common attacks carried out in this phase:
Cross-site Scripting SQL Injection Command Injection LDAP Injection XXE Injection HTTP Response Splitting XML / JSON Injection URL Redirection
Logical attacks generally exploit poor business logic or a failure to properly implement controls for such functions. These attacks often have a direct financial impact on the organization.
Examples of these types of attacks are below:
- Can a customer predict a token of value? (e.g. coupon codes, account number, etc.)
- Can application calculations be manipulated in unintended ways with negative numbers or decimals? (e.g. money transfer, electronic trades, etc.)
- Can sensitive operations be performed by lesser privileged users?
Applications often utilize a number frameworks with many prebuilt security functions. Modern frameworks evolve quickly and often have known security issues. Evaluating the security configuration of the framework is just as important as the application code itself. For this reason, Virtue Security maintains a comprehensive database of known issues and weaknesses with a wide range of application frameworks. Below are some frameworks and components commonly evaluated:
Use of Browser Controls
Leveraging browser security options is an increasingly important aspect of application security. Modern web browser developers work closely with working groups such as the W3C and IETF to develop technologies that can prevent many web application attacks. Virtue Security pays close attention to the maturity of these technologies and makes recommendations for these when appropriate. This phase of the assessment evaluates the business purpose of the applications and decides if any preventative browser controls should be implemented. Virtue Security may make recommendations for the following controls:
Strong encryption is essential to maintain confidentiality and integrity between users and the application. Assessing encryption protocols, ciphers, and configuration is a final step ensure data in transit remains private and secure.
a core tenet for maintaining confidentiality and protecting end users. Virtue Security actively updates a
knowledgebase for testing weak encryption. During testing, Virtue Security will test for a long list of ciphers with known weaknesses. This phases also checks for outdated protocols and variety of compression related attacks.