Web Application Penetration Testing Checklist
Most of the web applications are public-facing websites of businesses, and they are a lucrative target for the attackers. Hence, it becomes imperative for companies to ensure that their web applications are adequately protected and are not prone to cyber-attacks. Our penetration testing experts have compiled a checklist to be utilized while performing a penetration test for web applications. We will look at this checklist’s items one by one.
Contact forms available on a web application act as entry points for spammers. If adequate security mechanisms are not implemented, there are chances that the associated email account is flooded with spamming emails. Hence, the contact form should be able to identify and prevent such attacks. CAPTCHA is one such way to prevent spamming.
Proxy servers play a significant role in directing traffic to your web application and filtering out malicious activities. The penetration testers must check whether the proxy servers within an organization’s network are functioning as desired. Tools like OWASP ZAP and Burp can help the penetration testing team.
Spam Email Filter
Spam filters must be enabled to ensure that email policies are being enforced as expected. The penetration testers verify whether the spam filter can filter incoming/outgoing email and block unsolicited emails.
Just like proxy servers, network firewalls prevent undesirable traffic from entering your web application. The penetration testers not only check the efficiency of a network firewall, but they also explore the possibilities of bypassing the firewalls.
The penetration testers here simulate various modus operandi used by the attackers to simulate a real-life attack. Vulnerabilities can exist in network devices, servers, databases, web application, etc.
The penetration testers lookout for the possibilities of conducting a man-in-the-middle attack. An organization must encrypt login credentials, and they should be only transferred over a secure HTTPS connection. When a web application is to be secured, encryption plays a vital role.
Cookies store data related to a user’s session on your web application. This is a sensitive piece of information, and with increasing privacy and protection laws across the globe, it is not a favorable position for a business to allow this confidential information to get exposed to the attackers.
The penetration testers test a web application’s login page from multiple angels. One such angle is to ensure that only a limited number of login attempts are made for a corresponding user. This ensures that dictionary attacks are prevented.
Error messages on your web application should not reveal more than required information about the problem. The error messages shown must be generic in nature. A detailed error message is similar to inviting the attackers to attack your web application.
Usernames & Passwords
The penetration testers test all the usernames and passwords which are used on your web application. A password must be fairly complex, and the username must not be easily guessable.
Before files are uploaded either to your web application or server, they must be scanned to ensure that they do not contain harmful content.
This is one of the most common methods used by the attackers while exploiting web applications. The penetration testers perform SQL injection attacks on all the components of your web application.
Just like SQL injection, cross-site scripting, or XSS, is another common method employed by the attackers to launch attacks on an organization’s web application. The penetration testers check whether security mechanisms implemented to prevent an XSS attack are working correctly or not.
Once a user logs out of your web application, his user session must be terminated. Moreover, a user must be allocated minimum user access privilege possible – nothing less, nothing more. Valid sessions may be hijacked by the attackers, which allows them to view all the information that a user is allowed to.
The penetration testers analyze whether your web application is safe against brute force attacks or not. A brute force attack is a trial and error method which is used by the attackers to break through your encryption method or find the correct credentials to your web application.
By launching DoS attacks on your web application, the attackers send a large number of requests to your web application. A DoS attack not only prevents genuine users from accessing your web application but also leads to downtime. However, using appropriate mitigation tools can significantly minimize the threat.
An organization must disable directory traversal on the server where a web application is hosted. If directory traversal is not prevented, the attackers get easy access to your organization’s confidential information.
Unnecessarily open ports on your web application act as an invite for the attackers to exploit your web application. Only posts which are required for your web application to perform must be kept open.
The penetration testers review the HTTP methods used by your web application. As a mandatory step, PUT and DELETE methods shall not be enabled.
An audit of access permissions given to various users for your web application must be conducted. As stated, a user should only be given minimum access level privilege possible.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019