The widespread use of web applications by businesses and organizations has made them a lucrative target for attackers. It only takes one successful exploit to cause a breach in an application's security and compromise an organization and its customers. These incidents have the potential to damage a companys reputation and cause significant financial loss. With todays increasing cyber threat landscape, criminals need only to find a single mistake in an application's design or a known vulnerability to exploit weaknesses and cause havoc. Organizations should anticipate these dangers and apply best practices with regards to security for their web applications.
For developers, designing a web application should follow an established code review framework - a good resource for this is the OWASP Code Review Project. However, designing web applications to be secure is no longer enough. One of the most important strategies an organization can adopt is to regularly assess the security posture of their web applications through two primary methods: web vulnerability assessment and web application penetration testing.
Vulnerability assessments provide an automated means of determining deficiencies by crawling the web site to discover potential vulnerabilities and reporting these results. There are a number of open source and commercial vulnerability scanning tools available. As an example, one popular open source tool to perform this scan is w3af.
Shown below, the scan results show that a cross-site scripting (XSS) vulnerability was discovered:
A comprehensive vulnerability assessment includes many of the same processes as a penetration test, however there is a major distinction in the results they provide. Web application penetration testing is done using more rigorous means: utilizing both automated tools and manual methods such as scripts and interactive tools and by following a proven methodology.
During a penetration test, vulnerabilities are not only identified,an attempt is made to exploit them.
Overview of the Penetration Testing Process:
The methodology of a penetration test follows the process of reconnaissance, mapping, discovery and the subsequent exploitation of vulnerabilities. The human element allows for the testing of business logic flaws with a thinking outside of the box approach.
Vulnerability assessments and penetration tests follow much of the same process, as they both start with the:
Phase 1 Reconnaissance
This involves gathering information about the web application through direct and indirect means, such as analyzing DNS records, web search results and other information that is available.
Phase 2 Mapping
This involves spidering or downloading the web site and identifying deficiencies in the web server and software configuration.
Phase 3 Discovery
Vulnerabilities such as information leakage, SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are identified. At this point a vulnerability assessment is complete, but the penetration test takes the process a step further
Phase 4 Exploitation
This is where attempts are made to exploit the identified vulnerabilities to simulate real world attacks. The exploitation phase is demonstrated in the following example:
The popular Heartbleed vulnerability (CVE-2014-0160) was identified by a scanning tool called Nmap, it was able to detect a vulnerable version of OpenSSL running on a web server.
The impact of Heartbleed was the leaking of sensitive data, so the next step of this stage is to verify that this vulnerability is real and can be exploited. After running the exploit using tool called Metasploit, the result was a success and some sensitive data is seen (below).
Approaching Web Security for Your Organization
Performing regular vulnerability assessments of your web application is an important part of any organization's security and development program. DOSarrest offers both vulnerability and penetration testing and assessments as a comprehensive service for businesses and organizations. The Vulnerability Testing and Optimization or VTO is a web vulnerability assessment and performance analysis using industry leading commercial tools. The Web Penetration Testing Service is done by our in-house security experts and provides a comprehensive assessment of your web applications security.
As security threats and attacks are becoming more sophisticated, it is necessary to employ a security program to further protect your company and assets. Working with a team of skilled penetration testers to assess web applications has proven to be invaluable for companies that require the highest level of security. For our clients, these services have become an essential part of their security program to ensure their web applications remain secure and performing at optimal levels.
DOSarrest Security Operations Analyst