Web Application Penetration Testing Methodology
Web application penetration testing is a process in which a tester uses simulated attacks to identify potential security vulnerabilities in a web application.
Methodology Details
We follow an industry-standard methodology primarily based on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. In support, we use a number of manual and automated tools, described in the following steps, to ensure full coverage.
Penetration testing of a web application includes the following stages:
- Target scope reconnaissance
- Business and application logic mapping
- Automated web crawling and web scanner configuration tweaking
- Authenticated vulnerability scanning / Manual crawling
- Manual web vulnerability tests / exploit reviews / microservices
- Ongoing assessments
- Report, triage, and retest
The Cobalt team of pentesters do not need access to the underlying web application source code, unless you specify it as a requirement.
We look at application logic by working with your app.
Tests of a Web asset include tests of APIs used to populate content on that asset. If you have additional APIs, you may consider setting up:
- A combined Web + API test
- A separate test for APIs
Target Scope Reconnaissance
Based on the Pentest Brief prepared by the client, Cobalt pentesters search for information about the targets and investigate the scope. This information includes:
- Web application URLs
- Descriptions of application logic
- Functions critical to the business
Pentesters then confirm that they can:
- Reach and scan the targets
- Test the functionality of the application
Our pentesters may use reconnaissance scanning tools such as:
- Recon-ng
- Dnscan
- Dirble
- Aquatone
- Masscan
Business and application logic mapping
Pentesters manually examine the target applications to map:
- Business functions
- Workflows
- Underlying processes
They also build a matrix of the access controls within the application based on supported roles and actions. Our pentesters use this matrix to plan further security tests, which determines:
- How well these controls are enforced
- How an attacker can bypass these controls
Our pentesters may use application logic analysis tools such as:
- Burp Suite Pro/Community
- Postman
- OWASP Zed Attack Proxy
Automated Web Crawling and Web Scanner Configuration Tweakings
Our pentesters use both commercial and freeware security tools to assess the targeted application. They’ll modify these tools as needed, to make sure that scanning can find security issues on every segment of your asset, and the application as a whole.
In addition, our pentesters run automated crawls to:
- Identify any pages are available to unauthenticated users
- Determine the full site tree
Our pentesters may use web crawling and scanning tools such as:
- Nmap
- Burp Suite Pro/Community
- Nikto
Authenticated Vulnerability Scanning / Manual Crawling
In this part of the pentest process, our pentesters:
- Use automated tools for web application crawling
- Verify the results manually
- Run manual crawling tests for better coverage
- Verify authentication on protected areas of the application
With automated scanning, our pentesters:
- Assess the application using the authenticated sessions where applicable
Our pentesters use extreme caution to minimize impact on the targeted system. They may use vulnerability scanning tools such as:
- WPScan
- Burp Suite Pro/Community
- sqlmap
Manual Web Vulnerability Tests / Exploit Reviews / Microservices
Cobalt pentesters use tool-assisted manual tests to identify and analyze the following parts of the app for vulnerabilities:
- Functionality
- Business logic
- Deployment
The assessment identifies published vulnerabilities, including those listed in the
- OWASP Top 10
- CVE reports or tracked by CVE entries
Our pentesters also consider the workflows and business logic into consideration when they identify vulnerabilities in the application.
The assessment includes tests for vulnerabilities such as:
- Injection attacks that probe the robustness of server-validation routines
- Session management flaws that could allow user impersonation
- Flaws in access control that expose data or enable users to gain elevated privileges
If the application includes microservices, our pentesters focus on interactions between different systems. They examine the implementation of:
- Access control management
- Cross-Origin Resource Sharing (CORS)
We thoroughly examine:
- Access control management
- Cross-Origin Resource Sharing (CORS) implementation
- Vulnerabilities outlined in the OWASP API Security Project
For each finding, pentesters determine the risk associated with each issue by:
- Demonstrating how the issue could be exploited
- Evaluating its impact within the context of the business function, data, and users of the asset
- Setting up a Proof-of-Concept exploitation to:
- Demonstrate the presence of the vulnerability
- Minimize potential adverse impact to the application, its data, and its underlying systems
Our pentesters use multiple testing and exploitation tools such as:
- Burp Suite Pro/Community
- OWASP ZAP
- Dirble
- Nuclei
Ongoing Assessments
Our pentesters report their findings, in real time, through the Cobalt platform. They also:
- Assess all risks
- Recommend steps for remediation
You’re welcome to communicate with our pentesters for each of their findings.
Report, Triage, and Retest
Our pentesters report and triage all vulnerabilities during the assessment. You can review details of all findings, in real time, through the Cobalt platform. In these findings, as well as in any report, our pentesters include detailed information on how you can:
- Remediate each finding
- Improve your overall security posture
If you remediate findings during the supported pentest period, our pentesters can retest your updated components against each discovered vulnerability.
Additional Requirements
You’re welcome to define additional test objectives. If you follow best practices other than OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a “well-known” security practice, our pentesters probably already know them!
If you have special instructions for a pentest, add them later, under Special Instructions.