Manage Learn to apply best practices and optimize your operations.

Penetration testing: Finding Web application flaws

Though complex, penetration testing is worth the effort and helps make Web applications as secure as possible. Here are some tips for testing effectively.

Penetration testing is a complex undertaking, but it's worth the effort to find Web application flaws. Testers...

can add penetration tests to black box or other exploratory testing methods.

Penetration testing is only one part of a large security testing effort, but it's critical to determining if a Web application is susceptible to security threats -- and where or in what part of the application the vulnerabilities occur.

Before testing begins, managers need to identify the application entry points and workflows or execution paths. Identifying the entry points and understanding how the application receives, shares and transfers data is essential. Test managers may need assistance from developers to find and understand how functions work. Developers can provide valuable insight into functionality typically unknown to testers, but essential for performing an effective penetration test.

Testers should walk through the application and take notes. Track and note each full URL and all HTTP requests, responses and parameters. GET and POST requests are the most common; typically, POST contains confidential data. Note which parameters are passed using GET and POST and take note of any hidden form fields that contain sensitive or personally identifiable information like address, quantity or pricing.

In addition, watch each URL and track any unusual parameters -- including custom headers -- and note whether the URL includes authentication or Secure Sockets Layer information. Track all redirects the application takes during normal application processing, including 403 Forbidden and 500 Internal Server errors.

Authentication: Checking for default passwords

Chances are a test manager will find that a username and password used in past testing efforts still works.

Start authentication testing efforts by checking for unchacnged or default passwords. Part of the popularity of systems like software as a service and integration platform as a service is their ease of implementation and standard configuration via administrative interfaces; however, these systems are often installed quickly and default authentication settings are never changed. Attackers know or can locate information about default passwords or predictable password patterns.

Test for default credentials by identifying the device brand -- for example, a Cisco router or a WebLogic administrator portal. Next, check manufacturer documentation or search the Web to locate common default authentication credentials. Try using these default values to authenticate access to the application. It may take some guessing, but spend time trying common or simple derivations of default values. Test managers should note the error messages received and make a guess based on information in the error message. Error messages usually can be easily generated in the password-reset or forgotten-username functionality of a Web application.

Every organization has a set of common default passwords. Try using them in the production version of the application. For example, try the following usernames with matching or blank passwords: Admin, Guest, QA Test, Test1, Testing, Password123, QA123, Admin123.

Chances are a test manager will find that a username and password used in past testing efforts still works. Watch the URL during testing for clues about access. Web applications often add "authenticate=yes", or something similar, when one or more pieces of information is correct.

Bypassing authorization

Authorization, similar to authentication, is a secondary step in authorizing a user or role to access restricted areas. Examples within a healthcare context are a doctor and a lab technician. The doctor has access to patient records so he or she can place and manage medical orders. The lab technician, however, is limited to posting lab results to a patient record. The technician cannot edit or alter anything on the patient record. Test managers should test whether they can bypass authorization to verify access to information is secured by role.

Bypassing authorization is often simple. First, attempt to bypass the login page or popup tool by closing it or clicking different options. It's surprising how frequently a user can close or click in the main window, bypass the login and gain full access to an application or system. Test managers can also try to log in with valid information at a higher role (e.g., as a doctor). Perform actions in the Web application that are known to be for a doctor role only. Now, without logging out, open another session or window in the application and log in with a role that does not have doctor privileges. See if access is allowed and what actions can be executed.

Session management: Logout functionality

Session management testing includes logout or session termination functionality. Testing for logout is an effective and surprisingly lucrative defect goldmine. Properly terminating a session keeps it from being hijacked and used to gain access to previously authenticated sessions using cross-site scripting or request forgery methods.

Test the effectiveness of the Web application's logout functionality by verifying a logout button exists and that it's easy for a user to locate without scrolling. A logout button should exist on every page within an application. After logging out, verify that the user does not still have direct access or cannot get in by manipulating the URL. Verify that the client-side session token is set to "inactive" and that it does not set the session token to a new value. If the application sets the token to new value, attempt to reset the value and gain access after logging out.

Test the logout again by waiting for the application to timeout automatically, then attempt to access the Web application. Many users exit Web applications by closing a tab or browser. Test and verify the user is properly logged out and the session is terminated. Testing logout is especially critical when using a single sign-on system within a Web application. Often, users can log out and still have access to the main system because single sign-on systems fail to terminate sessions promptly. Attempt to gain access to other areas of the Web application using the main system and see what actions or data are accessible.

Test managers can perform penetration tests any time during the development cycle to better ensure major security flaws are not included in a Web application's next release. Security is critical to all organizations that produce Web applications, and penetration testing adds significant value to the organization by finding application security defects.

Next Steps

Maximize the benefits of penetration testing

Avoid potential penetration testing risks

Dig Deeper on Penetration testing

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What penetration testing techniques have you tried? What were the results?
Hey All,

I tried pen testing on firefox by using Firefox Addon..and found some flwas in Forms...n reported to colleagues..they appreciated the idea.
Thanks for starting discussion.


Definitely some good tips. Even experienced web app testers can benefit from reviewing tips like these.
i'll admit there's some good tips here, but I'm curious a bout this statement:

"managers need to identify the application entry points and workflows or execution paths."

Why Managers? Why specifically managers? 
After reading this again, I wonder if the take notes could have a substitute, record it with a tool like Charles, JMeter, or Fiddler.
It has been amazing to me how many times I have been able to go into an organization and in a day or two, just by listening to the teams work and interact, how quickly I can guess system passwords. It's improved a bit in the past few years with the use of password management tools, but so much of the penetration testing low hanging fruit can be had through social engineering.