Monday, June 30, 2008

Web Application penetration testing is the way to identify vulnerabilities that exists in an Web Application.

A penetration test usually involves the use of attacking methods conducted by trusted individuals that are, similarly used by hostile intruders or hackers. It involves scanning of a given URL of the web Application offering services with known vulnerabilities or even exploiting known vulnerabilities that exists in an unpatched part of Web Application. The results of these tests or attacks are then documented and presented as a report to the client and the vulnerabilities identified can then be resolved.

The vulnerability testing increases upper management awareness of security issues, tests intrusion detection and response capabilities of a Web Application. It also helps in assisting the higher management in decision-making processes. The management of an organization might not want to address all the vulnerabilities that are found in a vulnerability assessment but might want to address its system weaknesses that are found through a penetration test. This can happen as addressing all the weaknesses that are found in a vulnerability assessment can be costly and most organizations might not be able to allocate the budget to perform this kind of testing.


Steps


Stage 1 - Information Gathering. This stage provides the auditor with information about the target(s) at hand. It includes the gathering of both technical details on the target application or network, as well as the gathering of publicly available information on the owner of the network or application in question.

Stage 2 - Information Analysis and Planning. This stage represents the collation of the information gathered in Stage 1 by the auditor. Once this information is organized, a series of actions are taken. These include high-level attack planning regarding the overall approach for the audit in question, as well as formalizing which targets require further research in Stage 3.

Stage 3 - Vulnerability Detection. When all the targets and approaches have been identified, the auditing team searches for vulnerabilities in the targets, which will allow them to gain access.

Stage 4 - Target Penetration. This is the stage of the process where an actual break-in is attempted. This stage is dependent on the successful completion of Stage 3.

Stage 5Analysis & Reporting

Top List of the Vulnerabilities possible on the Web Applications are

  • Invalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting Flaws(XSS)
  • Buffer Over Flows
  • Injection Flaws
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration Management
Posted by at No comments:
Subscribe to: Posts (Atom)