How to perform web app pentesting step by step

Importance and the need for Web App Pen Testing

  • Pentest Helps in identifying unknown vulnerabilities
  • Helps in checking the effectiveness of the overall security policies.
  • Help in testing the components exposed publicly like firewalls, routers, and DNS.
  • Lets user find out the most vulnerable route through which an attack can be made
  • Helps in finding the loopholes which can lead to theft of sensitive data. If you look at the current market demand, there has been a sharp increase in mobile usage, which is becoming a major potential for attacks. Accessing websites through mobiles are prone to more frequent attacks and hence compromising of data.

Penetration Testing thus becomes very important in ensuring we build a secure system which can be used by users without any worries of hacking or data loss.

Web Penetration Testing Methodology & Attacks

The methodology is nothing but a set of security industry guidelines on how the testing should be conducted. There are some well established and famous methodologies and standards which can be used for testing, but since each web application demands different types of test to be performed.

Some of the Security Testing Methodologies and standards are :

  • OWASP (Open Web Application Security Project)
  • OSSTMM (Open Source Security Testing Methodology Manual)
  • PTF (Penetration Testing Framework)
  • ISSAF (Information Systems Security Assessment Framework)
  • PCI DSS (Payment Card Industry Data Security Standard)

Test Scenarios

Listed below are some of the test scenarios which can be tested as part of Web Application Penetration Testing (WAPT)

  • Cross Site Scripting
  • SQL Injection
  • Broken authentication and session management
  • File Upload flaws
  • Caching Servers Attacks
  • Security Misconfigurations
  • Cross-Site Request Forgery
  • Password Cracking

Web Pentesting Attacks

Cross Site Scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.


SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQLstatements. These statements control a database server behind a web application. ... SQL Injectionattacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities.

Broken authentication and session management

What is Broken authentication and session management? These types of weaknesses can allow an attacker to either capture or bypass the authentication methods that are used by a web application. ... Session IDs are exposed in the URL (e.g., URL rewriting). Session IDs are vulnerable to session fixation attacks

FILE upload flaws

A local file upload vulnerability is a vulnerability where an application allows a user to upload a malicious file directly which is then executed. A remote file upload vulnerability is a vulnerability where an application uses user input to fetch a remote file from a site on the Internet and store it locally.)

Privillege escalation

A privilege escalation attack is a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications.Not every system hack will initially provide an unauthorized user with full access to the targeted system. In those circumstances privilege escalation is required. There are two kinds of privilege escalation: vertical and horizontal.

Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code. Horizontal privilege escalation requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation.

Security Misconfiguration

Security misconfiguration vulnerabilities could occur if a component is susceptible to attack due to an insecure configuration option. ... Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code.

Password Cracking

Password cracking refers to various measures used to discover computer passwords. This is usually accomplished by recovering passwords from data stored in, or transported from, a computer system. Password cracking is done by either repeatedly guessing the password, usually through a computer algorithm in which the computer tries numerous combinations until the password is successfully discovered.

Authentication Bypass

Authentication bypass vulnerability could allow attackers to perform various malicious operations bypassing the device authentication mechanism. ... Organizations failing to enforce strong access policy and authentication controls could allow an attacker to bypass authentication.

Session Hijacking

Session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session?sometimes also called a session key?to gain unauthorized access to information or services in a computer system.


  • Monitor the functional aspects of the web application
  • Monitor the sessions and cookies related to user authentication
  • Using tools like burp suite, Fiddler and Vega vulnerability scanner, we carry out the gray/black/white box testing.
  • Two aspects of testing included: Internal and external
  • Manual and automated testing carried out for amazing results.
  • The technical team involved in the testing then conducts meeting and discusses the vulnerabilities found.
  • 21.xl Report is made and then verified with senior techie before sharing for precise/accurate results.


Automated vs Manual testing

Manual testing is performed in this scenario

  • Exploratory Testing: This type of testing requires the tester?s knowledge, experience, analytical/logical skills, creativity, and intuition. The test is characterized here by poorly written specification documentation, and/or a short time for execution. We need the human skills to execute the testing process in this scenario.
  • Usability Testing: This is an area in which you need to measure how user-friendly, efficient, or convenient the software or product is for the end users. Here, human observation is the most important factor, so a manual approach is preferable.
  • Ad-hoc Testing: In this scenario, there is no specific approach. It is a totally unplanned method of testing where the understanding and insight of the tester is the only important factor.

Automated testing is performed in this scenario

  • Regression Testing: Here, automated testing is suitable because of frequent code changes and the ability to run the regressions in a timely manner.
  • Load Testing: Automated testing is also the best way to complete the testing efficiently when it comes to load testing.
  • Repeated Execution: Testing which requires the repeated execution of a task is best automated
  • Performance Testing: Similarly, testing which requires the simulation of thousands of concurrent users requires automation.

Internal & External Testing

Internal Testing

As the name suggests, the internal pen testing is done within the organization over the LAN, hence it includes testing web applications hosted on the intranet. Basically, it includes Malicious Employee Attacks by disgruntled employees or contractors who would have resigned but aware of the internal security policies and passwords, Social Engineering Attacks, Simulation of Phishing Attacks, and Attacks using User Privileges or misuse of an unlocked terminal.

External Testing

These are attacks done externally from outside the organization and include testing web applications hosted on the internet. To simulate such attacks, testers are given the IP of the target system and not provided any other information. They are required to search and scan public web pages and find our information about target hosts and then compromise the found hosts. Basically, it includes testing servers, firewalls, and IDS.

Black box,White box & Grey box testing

Black box testing

  • Internal programming not known.

  • Internal workings of an application are not required to be known

  • Known as closed box, data driven and functional testing

  • Performed by end users and also by testers

  • Testing is based on external expectation, internal behavior of application is unknown

  • Least time consuming and exhaustive

  • Not suited to algorithm testing

White box testing

  • Internal programming fully known.

  • Tester has full knowledge of internal working of the application

  • Performed by testers and developers

  • Internal working are fully known and tester can design test data accordingly

  • Most exhaustive and time consuming

  • Data domain and internal boundaries can be better tested

  • Suited to algorithm testing

Grey box Testing

  • Internal programming partially known.

  • Somewhat knowledge of internal working of application are known.

  • Known as translucent testing

  • Performed by end users and also by testers and developers

  • On the basis of high level database diagrams and data flow diagram

  • Partly time consuming and exhaustive

  • Not suited to algorithm testing

  • Data domains and internal boundaries can be tested if known.

Using tools

Burp suite



Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.