Securing Your Web Application through Penetration Testing
Application testing accounts for half of the assessments Raxis performs each year. Our testing follows the OWASP Top 10 framework, but, like all of our assessments, this can be tailored to your specific needs. Every application test performed by Raxis is a true manual breach attempt. While we use tools to help us identify key areas, the majority of testing is performed manually. Our engineers test the business logic of the application with an attempt to escalate privilege, force data leaks, expose sensitive information, and in extreme cases make the leap from the application into other environments.
Raxis helps you uncover security vulnerabilities that may have been missed during development.
FACT
Penetration testing web applications is not the same as a traditional test.
RAXIS REMEDY
Raxis performs real web application testing by taking a very close look at all the details that make your web app work.
Web Application Penetration Testing Questions and Answers
As most internet services are delivered via websites, it's very common for attackers to focus hard on a company's web application. These applications often have security vulnerabilities that can provide access to usernames and passwords, credit card numbers, private customer addresses, and more.
Technically, web applications are different
Raxis uses specialized tools and techniques to leverage flaws in web application code.
- Unauthenticated User: We hunt for flaws in the login process as well as authentication bypass techniques such as SQL injection, cross-site scripting, and session fixation. Anything from user enumeration and brute-force attacks to direct object references are considered in-scope.
- Admin Super User: Once logged in, Raxis maps out the application, looking for technical vulnerabilities as well as business logic gaps and flaws. Configuration issues, client-side processing, and session issues are just a few of the areas your engineer will test from within your application.
- Basic and Read-Only Users: When setting the scope, you choose how many roles Raxis will test. We recommend testing at least a power user and a lower level user. Raxis performs comprehensive application testing on forms, fields, and services throughout the application using all user roles. Testing as a user with limited permissions makes it possible for our engineers to attempt operations that should only be accessible to higher level users.
A Raxis web app test thoroughly examines your application for flaws from without and within.
Does my company need a web application penetration test?
Yes, these tests are important tools for your development team. As they create intuitive, essential web applications that improve processes for your employees and customers, security is likely a key part of their process. Your dev team has the responsibility for the entire app - from user experience to security. Your application must validate that all users have authenticated correctly and are authorized to use the proper areas of the application. But security doesn’t end there. The application code must follow proper security procedures to keep data safe. Your developers deal with a lot of moving pieces.
Our engineers jump in during the testing phase of your dev team's secure software development lifecycle (SDLC). Instead of looking at your application as a credible user would, they take a hacker's point of view, attempting to exploit business logic vulnerabilities as well as code and configuration issues. Raxis gives your development team useful, actionable feedback to give them to tools they need to secure your application.
Why does Raxis use the OWASP Top Ten as a guideline for my web app test?
The OWASP Top Ten is a widely recognized standard for current critical security risks to web applications. Your development team likely uses the list to inform their security decisions, and the controls are embedded in our web application testing processes as well. From broken access controls to insecure design and injection vulnerabilities, you can rest assured that our engineers are versed in them all.
If I’ve already had an external network test, is a web app test needed? Could the tests be performed together?
We recommend a web app test in addition to an external test, and, depending on your scope and budget, a combined test may be a good option.
External network tests focus on the full systems and your internet-facing network as a whole. While the pentester may focus on breaking into your application from the point of view of an unauthenticated user, the application itself will likely not be their main focus.
Likewise, a Raxis web app test thoroughly focuses on your application from the point of view of several roles within and outside your application. While the engineer will examine the configuration of the application server during the test, emphasis is placed on the application. As our engineers examine and map out your application from each user's point of view, they test for business logic, configuration, and, of course, technical vulnerabilities, manually attempting to break your controls to gain unauthorized access. This vigorous focus on each piece of your application gives your development team the information they need to lock down your application and keep your users' data safe.
Should web app testing be a part of our Software Development Lifecycle (SDLC)?
We highly recommend that it is.
- Static testing for new applications - Raxis can test your application in a QA environment before you go live so that you — and your customers — can rest assured that security features have been thoroughly tested and protections are in place to stop malicious actors from gaining access to your site and systems or even disrupting the environment.
- Ongoing testing for applications in continuous development - When your application changes rapidly with agile teams pushing updates to production often, Raxis recommends the Pen Test as a Service (PTaaS) for web applications. This service includes an annual traditional penetration test and then monthly manual testing to check for updates and differences. If changes are discovered, a Raxis pentester will manually look at newly discovered vulnerabilities and alert your team. In this way your security keeps up with your constantly developing application.
- Periodic testing for applications with scheduled updates - For applications that update rarely — meaning quarterly or even annually — companies sometimes prefer scheduling full pentests against the changes before the updates go live. Raxis provides this within the PTaaS environment or separately through traditional pentests.
How long does it take to perform a web application penetration test?
A small web application can be pentested in about 3 days, whereas most average web applications will need about 5 days to complete. Larger web applications with multiple user roles, input fields, and lots of functionality will need 10 days or more to complete.
Keep in mind that scheduling is often a challenge in the busy season, so please book your test as soon as possible in order to meet any regulatory deadlines that you may have. We try to accommodate deadlines as much as we can, however it is not uncommon for us to be booked up for several weeks at a time.
tl;dr
Web Application Penetration Test Specifications
- Powered by Raxis One, a secure web interface for all Raxis services
- Fully capable of working with Virtual Private Cloud (VPC) providers and such as Amazon AWS, Microsoft Azure, and Google Cloud
- Raxis utilizes the same tools and techniques as a blackhat hacker, customized for Web Application attacks
- Predictable timeline for the assessment
- Exploitation, pivoting to other in-scope systems, and data exfiltration in scope
- Executive debrief conference provided, if desired
- Optional re-test to validate remediation
- All Raxis tests are based on the MITRE ATT&CK penetration testing framework
- Meets or exceeds requirements for NIST 800-53, NIST 800-171/CMMC, PCI, HIPAA, GLBA, ISO 27001, and SOX compliance
- Available as a one-time service, multi-year agreement, or continuous monitoring/Penetration Testing as a Service
- Self-managed testing via the Raxis One portal