Introduction:
Application Security Testing is a process to identify security vulnerabilities and weaknesses in web applications. This testing is performed with the combination of both automation and manual process using several application security tools.
The main goal of this security testing is to make web applications more resistant to security threats and secure them before cyber attackers can locate them and execute an exploit. It helps the organization to secure the web applications and also gets the status of how effective its current security defenses are.
There are different methodologies used to perform web application security testing such as Black Box Security Testing, White Box Security Testing and Gray Box Security Testing.
Here, in the article, we will explain Application Gray Box Security Testing which is a combination of both white box and black box testing.
Methodology:
The methodology proposed to the application security testing is a structured five-step process that needs a high level of manual testing and application understanding.
- Understanding the Application
- Create Threat Profile
- Test Plan Preparation
- Performing Manual and Automated Security Tests
- Report Generation
1. Understanding the Application:
The important step for the cyber security team before testing the web application is understanding the different features and functions of the application. The team should browse through the application, read the user manuals, and if necessary a walkthrough of the application along with the application owner or developers. The main aim for this step is to ensure that the security team is fully aware of the application’s functions, aims, features, etc.
2. Create Threat Profile:
The Threat Profile comprises a listing of all the potential threats that are identified and becomes the starting point for subsequent tests. It also includes information about threat actors, threat scenarios and represents it in a detailed illustration of how each of these components is used together. Here, penetration testers focus on the goals of the cyber attackers.
A few examples of threats for a web application are-
- Unauthorized access to the application if access controls are missing or not implemented properly.
- Sensitive data exposure when data is in transit or rest encrypted with weak cryptographic algorithms, poor key generation, or if it’s in cleartext.
- Injection attacks when the user input is not sanitized, filter, or validated by the application.
- Design and architectural flaws such as logical problems in programming, unprotected stored data and displaying contents that reveal sensitive information.
- Application is missing proper security hardening or permissions that are not configured properly.
3. Test Plan Preparation:
Next step, after completing the final Threat Profile that drives to the Test Plan preparation. Ensure that each threat in the Threat Profile is mapped to the specific pages on the application.
The Test Plan then identifies all the attacks that need to perform on those pages to assess that specific threat.
The Test Plan should include but not be limited to the below critical threats:
- OWASP Top-10 – 2021 Vulnerabilities
- CWE/SANS TOP 25 Most Dangerous Software Errors
4. Performing Manual and Automated Security Tests:
Once the Test Plan and Test Cases are prepared and approved, perform security testing with both manual and automated checks that comply with the Test Plan. During the process of testing, the testing engineer may identify additional tests or attacks to execute, then ensure that this additional task is updated in the Test Plan and then perform the subsequent new tests.
The testing team should carry out the threats one by one and initiate performing the test. If the test case is successful, mark it as unsafe in the Test Plan. Ensure that the sequence of screenshots illustrating the attack is recorded and included in the final report.
As part of automated testing, there are number of commercial and open-source tools available that can be leveraged. Some of the noted commercial tools are HCL Appscan, Microfocus Web Inspect, etc. For manual testing, Burp Suite is one of the best tools available.
As part of open source tools, Kali Linux is the best tool to perform number of attacks. This Kali Linux is a VM containing number of open-source penetration testing tools.
5. Report Generation:
A report is generated detailing all the identified vulnerabilities in the web application along with specific recommendations to mitigate each risk. Based on the discovered risks in the application, will suggest the recommended practical solutions and develop an implementation roadmap for strengthening security.
This can involve patch recommendations, configuration changes, code changes, addition of new features, suggestions on improving practices & policies, and options on security products for controlling the discovered risks.
Below is the list of contents of the detailed application security testing report:
- Identified Vulnerabilities
- Description, Impact
- Vulnerability Ratings
- Steps to reproduce the vulnerabilities
- Threat Profile
- Test Plan
- Screenshots where feasible
- Recommendations with details and additional resources.
Pre-requisites for Application Security Testing:
- The URL of the application to be tested.
- Administrators guide / User manual / Help, if available.
- Two activated login id/passwords for each privilege level (Examples of privilege levels are Normal User, Supervisor, Manager, and Administrator).
- Application sample data that can be used for testing.
- Examples of Sample data: Account Details of a user.
- Sample content that can be viewed and queried for.
- Sample content that may be edited or modified for our testing.
- Notification of when the application will be available for testing.
- Management approval.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.