.png)
Introduction to Penetration
.png)
Testing and Web Applications
A web application uses the HTTP protocol for client-server communication and requires a
web browser as the client interface. It is probably the most ubiquitous type of application in
modern companies, from Human Resources' organizational climate surveys to IT technical
services for a company's website. Even thick and mobile applications and many Internet of
Things (IoT) devices make use of web components through web services and the web
interfaces that are embedded into them.
Not long ago, it was thought that security was necessary only at the organization's
perimeter and only at network level, so companies spent considerable amount of money on
physical and network security. With that, however, came a somewhat false sense of security
because of their reliance on web technologies both inside and outside of the organization. In
recent years and months, we have seen news of spectacular data leaks and breaches of
millions of records including information such as credit card numbers, health histories,
home addresses, and the Social Security Numbers (SSNs) of people from all over the
world. Many of these attacks were started by exploiting a web vulnerability or design
failure.Modern organizations acknowledge that they depend on web applications and web
technologies, and that they are as prone to attack as their network and operating
systems—if not more so. This has resulted in an increase in the number of companies who
provide protection or defense services against web attacks, as well as the appearance or
growth of technologies such as Web Application Firewall (WAF), Runtime Application
Self-Protection (RASP), web vulnerability scanners, and source code scanners. Also, there
has been an increase in the number of organizations that find it valuable to test the security
of their applications before releasing them to end users, providing an opportunity for
talented hackers and security professionals to use their skills to find flaws and provide
advice on how to fix them, thereby helping companies, hospitals, schools, and governments
to have more secure applications and increasingly improved software development
practices.
Proactive security testing
Penetration testing and ethical hacking are proactive ways of testing web applications by
performing attacks that are similar to a real attack that could occur on any given day. They
are executed in a controlled way with the objective of finding as many security flaws as
possible and to provide feedback on how to mitigate the risks posed by such flaws.
It is very beneficial for companies to perform security testing on applications before
releasing them to end users. In fact, there are security-conscious corporations that have
nearly completely integrated penetration testing, vulnerability assessments, and source
code reviews in their software development cycle. Thus, when they release a new
application, it has already been through various stages of testing and remediation.
Different testing methodologies
People are often confused by the following terms, using them interchangeably without
understanding that, although some aspects of these terms overlap, there are also subtle
differences that require your attention:
Ethical hacking
Penetration testing
Vulnerability assessment
Security audits
Ethical hacking
Very few people realize that hacking is a misunderstood term; it means different things to
different people, and more often than not a hacker is thought of as a person sitting in a dark
enclosure with no social life and malicious intent. Thus, the word ethical is prefixed here to
the term, hacking. The term, ethical hacker is used to refer to professionals who work to
identify loopholes and vulnerabilities in systems, report it to the vendor or owner of the
system, and, at times, help them fix the system. The tools and techniques used by an ethical
hacker are similar to the ones used by a cracker or a black hat hacker, but the aim is
different as it is used in a more professional way. Ethical hackers are also known as security
researchers.
History of Penetration testing
Penetration testing is a term that we will use very often in this book, and it is a subset often in this book, and it is a subset of
ethical hacking. It is a more professional term used to describe what an ethical hacker does.
If you are planning a career in ethical hacking or security testing, then you would often see
job postings with the title, Penetration Tester. Although penetration testing is a subset of
ethical hacking, it differs in many ways. It's a more streamlined way of identifying
vulnerabilities in systems and finding out if the vulnerability is exploitable or not.
Penetration testing is governed by a contract between the tester and owner of the systems to
be tested. You need to define the scope of the test in order to identify the systems to be
tested. Rules of Engagement need to be defined, which determines the way in which the
testing is to be done.
Vulnerability assessment
At times, organizations might want only to identify the vulnerabilities that exist in their
systems without actually exploiting them and gaining access. Vulnerability assessments are
broader than penetration tests. The end result of vulnerability assessment is a report
prioritizing the vulnerabilities found, with the most severe ones listed at the top and the
ones posing a lesser risk appearing lower in the report. This report is very helpful for clients
who know that they have security issues and who need to identify and prioritize the most
critical ones.
Security audits
Auditing is a systematic procedure that is used to measure the state of a system against a
predetermined set of standards. These standards can be industry best practices or an in-
house checklist. The primary objective of an audit is to measure and report on conformance.
If you are auditing a web server, some of the initial things to look out for are the open ports
on the server, harmful HTTP methods, such as TRACE, enabled on the server, the encryption
standard used, and the key length.
.png)
.jpeg)
.png)
.jpeg)
