Web App Penetration Testing

What is the best approach for testing websites?
The testing approaches change as per each website depending on their functionalities and features. However, the common testing approach followed is:
• Understanding the websites business logic and data flow
• Reconnaissance & Scanning using automated tools
• Penetration testing both manually and by using automated tools
• Performing Black box & gray box testing

Difference between Vulnerability scan and penetration testing?
Web security testing services, also called as VAPT includes Vulnerability scan or vulnerability assessment, to find out known vulnerabilities in a system. Vulnerability assessment tools are used for assessment. They help identify the vulnerability but do not distinguish between flaws that can be exploited to cause damage and those that cannot. Scanning is done continuously, especially after new equipment is loaded.
Vulnerability assessment focuses on:
• Identifying potential vulnerabilities
• Classifying vulnerabilities into High, Moderate, and Low risk vulnerabilities
• Identifying assets connected to the network

Penetration tests also called pen test is an attempt to exploit the vulnerabilities in a system. This is done in the way that hackers use in order to exploit the system vulnerabilities. This is done at least once in a year. This helps us to determine whether unauthorized access or other malicious activity is possible into the system and also identify which flaws pose a threat to the application. The goal of a penetration test is to identifying actual risk.
Penetration test focuses on:
• Identifying unknown vulnerabilities? zero day?
• Validating vulnerabilities by exploitation
• Identifying additional vulnerabilities not identifiable or accessible by a vulnerability assessment

What Are the Signs That a Website Has Been Hacked?
Website hacking is becoming a serious issue day by day. Attackers are becoming very advanced and tactical with their modus operandi and hence it becomes vital to safeguard your websites and detect any malicious activity in time.
Every activity leaves a trail and it is important to look for the right signs. If you see following signs it is time you take a hard look at your website.
• Your website becomes very slow and starts popping error messages.
• Browser warns user of malicious activity before redirecting to your website.
• Web site disappears from Google.
• Google search console informs you of malware or malicious activity on your website.
• Your website might redirect user to another website.

What Can a Malicious Website Do?
With growing attacks on websites, it is really important to browse the applications safely. Malicious websites may look like legitimate ones but have the potential to do a lot damage to the user. Malicious website may redirect a user to some different website and can trick them into giving them their username and password or any other form of confidential data.
A malicious website can also download malware on user's machine without them knowing about it, and do further damage to the machine. It is really important to become vigilant while surfing on the web. If you have any doubt about the website you are visiting, then get the URL tested for its authenticity. There are multiple online tools available which will scan the URL and give you the results. Valency Networks brings their experience and expertise to help you detect a malicious website and also help with the fixations. it’s imperative to make sure that you do not submit any personal or banking information on the sites which are HTTP. HTTP does not encrypt the communication between you and the server and hence anyone with the wrong intent can sniff the traffic and ultimately your data.

What Is SIRT Security?
Security Incident Response Team is responsible for assessing and handling security breaches and incidents in an organization. Their responsibilities include from handling the incident to doing root cause analysis to documenting its findings in a report.

What Is a Layer 7 Attack?
Layer 7 is the topmost layer of OSI model. It is known as the Application Layer. It helps application interact with network. Examples include: HTTP, FTP and Telnet among few Layer 7 DDOS attacks take advantages of weaknesses in the application layer to craft multiple DDOS requests against an application with the aim of making it unavailable to the user. HTTP flooding is one common type of DDOS attack where in multiple GET/POST requests are sent to the server either from one source or multiple sources. Server gets confused with the sudden flow of requests and crashes or slows down completely.

What Are the Advantages Of Https Over Http?
HTTP is a hypertext transfer protocol. IT is a means by which a web client can interact with web server for transfer or access of resources which are spread across web. HTTP does not encrypt the web requests and corresponding responses while they are travelling from client to server or vice versa. Hence, anyone monitoring the session can see the data in plain text and exploit it for further damage.
HTTPS stands for hypertext transfer protocol secure. IT is same as HTTP but with more security as it uses Transport Layer Security, a protocol to encrypt the communication between a server and client. Thus, it becomes difficult for an attacker to interpret the session and exploit it.

How To Check Website Security Online?
There are many tools to perform online automated testing. Also, there are Firefox and Chrome extensions using which we can perform both manual and automated testing. Few of them are as follows: Security Headers, Nmap, Pentest tools, Shodan, Cookie Editors, Wapplyzer, Acunitix, siteguard, sucuri, etc.

How Do I Scan a Website For Virus?
There are various automated tools that help in scanning a website for virus/malware. Listed below are few of them: URL Scanner, Quttera, SUCURI, SiteGuarding, Astra Security, VirusTotal, MalCare, ReScan, SiteGuard.

How To Secure Your Website?
After a website is created it needs to go through Code reviewing and Vulnerability Assessment & Penetration Testing before being hosted publicly. Conducting a Code review ensures code security; and checks for misconfiguration and bad coding, whereas VAPT helps in finding the loop holes and security issues in a website. This has to not only be considered before the website goes live but also need to be done quarterly, or at least half yearly to keep the site secure from the immerging attacks and vulnerabilities.

How Do You Secure Web Services?
To ensure web services are secure, one needs to perform the following:
• Code Review
• Black box testing & Gray box testing
These are the fundamentals that secure your web application code and functionalities from security misconfiguration, authentication bypass, session related attacks, Cross Site Scripting, Injection attacks, etc.

How Do You Know When a Site Is Secure?
Companies perform VAPT and claim their website is secure even after 2 year. They fail to understand that each year some new attacks are being discovered and they sites are now vulnerable to those new attacks. Hence, one need to perform continues vulnerability assessment and ensures their website has passed the OWASP Top 10 web checks in order to claim their site is secure. Listed below are the OWASP TOP 10 web vulnerabilities:
• Injection
• Broken authentication
• Sensitive data exposure
• XML external entities (XXE)
• Broken access control
• Security misconfiguration
• Cross-site scripting (XSS)
• Insecure deserialization
• Using components with known vulnerabilities
• Insufficient logging and monitoring
Read more Web Attacks Detected by VAPT Companies

How To Create a Web Server?
Before getting to the website, one needs to set up and secure their web server on which the website is going to be located. Many a times a website is vulnerable due to the misconfiguration on the web server. Listed below are the general steps to be followed while creating a web server.
• Step 1: Get a Dedicated PC
• Step 2: Get the OS & Install the OS
• Step 3: Choose a web server and install it on the OS
• Step 4: Configure the web server
• Step 5: Perform web server hardening

How Is Penetration Testing for Web App Done?
While performing the web application penetration testing, we follow OWASP Top 10 standard to find and report vulnerabilities along with which we also perform an elaborate and technical checklist of attacks. During the testing phase we perform black box, gray box, manual and automated testing. We use automated tools, in order to mimic the real life hackers; and we perform testing in a manual approach by using pre-validated and highly technical test cases. Its important to know that the subject matter expertise in penetration testing, is what makes Valency Networks different than others. This is because merely using tools is not adequate, but deeper understanding of vulnerabilities and their fixation comes from years of experience.
Read about Steps of Penetration Testing

How Do You Security Test A Web Application?
To security test a web application, one should first understand the business logic of the application and its flow. After which the purpose of the application is understood. On learning the basic information of the application we move on to the technical part of finding the application's system setup, as in, the environment, OS and web server the application is running on.
Then the security test of the web application starts on these basis by following the OWASP Top 10 standard to find, and report vulnerabilities along with which an elaborate and technical checklist of attacks is also performed. Read about Web Penetration testing process conducted by VAPT companies

How Is Application Security Maintained?
With the immerging attacks and vulnerabilities no one can announce a website to be 100% secure. However, securing the website and taking necessary steps to do so is essential. It is similar to locking our house and going out although there might be many other ways for bugler get in. Website security is not a onetime achieved success. It requires continuous assessment and pen-testing.
Listed below are few approaches that will help in maintaining application security: • Continuous Web Vulnerability Assessment • Continuous Risk analysis • Performing penetration testing for the web application as a new web module is created • Patching of software and applications as and when their updates are out.

Why Is SSL Necessary for Website?
SSL certificate encrypts the channel by which the data is transmitted thus ensuring secure communication. Having a SSL certificate for the website ensures data integrity and protection for data being shared on the internet. It is highly recommended for websites that deal with sensitive information such as credit card details, customer information, healthcare details, etc.

Read about Old SSL and Weak SSL Ciphers

Does A Black Padlock Mean a Website is Safe?
A website showing a black padlock means that website using HTTPS having a SSL certificate and an encrypted channel thus assuring that the communication channel is secure. However, this doesn't mean the website is 100% safe. To get that assurance one needs to perform a vulnerability assessment and penetration testing to ensure their application is secure for all kinds of attacks mentioned in OWASP TOP 10.

Are Http Sites Dangerous?
Browsing through a "http" website is absolutely fine as they do not ask to enter sensitive data as any data transmitted through http goes in plain text thus making is readable for anyone.

Are Web Apps Safe?
Web applications these days provide versatile features and functionality to make the UI and UX more users friendly and thus compromising on the security aspect of the application. An application developer must not just have the user experience in mind but should also ensure how secure their app can be built thus resulting in a well-developed application. We wouldn't say an application is secure unless secure coding is performed and reviewed, and an intense VAPT is performed on the application.

Is HTTPS Always Secure?
HTTPS ensure secure communication which doesn't enable the hacker to eavesdrop while the data is being transmitted, however one cannot rely wholly on HTTPS and say their application is secure because they use HTTPS. In fact, nowadays there are many HTTPS sites are being vulnerable to phishing attacks. A phishing site can readily get a CA and encrypt all traffic. Therefore, we can conclude by saying that HTTPS is not always or not anymore secure.

Is REST API Secure?
By default, a REST API is not secure. It is similar to creating a simple web page where no security related headers/checks are implemented. One need to configure the API calls and ensure all security checks are properly informed then only can a REST API be called as secure. Read about REST API security by Pentesting Companies

Can A Web Server Use Both Http & Https?
Yes. In a web server one can choose to place few web pages under https and others in http. The Web pages for which the CA is attached those web pages alone are HTTPS configured others pages by default fall under http. Although one can use both http and https, from security one of view it s advised to use only HTTPS throughout your web application. Read about HTTP and HTTPS Transition suggested by cyber security companies

How One Can Assure the Security from Web Threats?
To ensure security of a web application/ website from various threats, following things needs to be performed from the application and server point.
• VAPT for web application/ website
• Server Hardening
• Code Review

Who Is Responsible for Website Security?
The security of a web application is the responsibility of the one who hosted the application. In technical words, the SysAdmin and the Developers are also responsible for the applications security, as they are the ones who have create it and have implemented the configurations and settings on the web server.

How Can You Check If A Website Is Legit?
Internet is now filled with numerous types of websites that are being visited by millions of people in just one second. But little do we know whether what we see is legit or fake. Visiting an insecure/fake website is similar to visiting a haunted house that can lead to getting affected by malwares, sensitive data leakage, spam, and many more such deadly ghost.

Here are 8 simple ways to identify a fake website:
• Verify Website's Trust Seal: Trust seal ensures site visitors that the website is they are landed on is secure.
• Verify secure communication (http or https): HTTPS ensures the communication channel is encrypted secure. However, this does not do much as a fake site can have a https connection too. For this reason, we also need to do the next check.
• Verify the certificate: The digital certificate is issued by CA (Certificate Authorities) that contains a digital signature which confirms that the ABC Company owns this website and is trusted by internet browsers.
• Verify Certificate Issuer: Check if the certificate issuer is in the CA trust list.
• Verify Certificate Validity Date: Ensure the website certificate validity ate is not expired.
• Verify Contact Information: Check if the website has contact details of the company like physical location, company email id, mobile number, etc.
• Verify Social Media Platforms Of The Website: Visit the company's social media accounts to ensure their presence. Read reviews on those platforms to get better understanding on the company profile.
• Verify If The Website Has A Privacy Policy: Most legit sites have privacy policies mentioned and written on their websites. When it comes to e-commerce sites look for shipping and return policies if it's not present consider it to be fake.
• Observe if the website has Over-Abundance of Ads. Beware of following types of Ads:
o Ads that take up the whole page
o Ads that require you to take a survey (or complete some other action) before continuing
o Ads that redirect you to another page
o Explicit or suggestive ads
• Run a whois scan: Whois displays the domain registration information of the website

How To Harden An IIS Web Server?
Server hardening is very essential for all web servers before deploying it. Any misconfiguration on the server-side can cause ultimate damage to the entire website / application thus making it vulnerable to attacks.
Listed below are the checks performed for IIS web server hardening.
o Analyze dependencies and uninstall unneeded IIS modules after upgrading.
o Properly configure web server user/group accounts
o Use IIS 7's CGI/ISAPI Restrictions
o Configure HTTP Request Filtering Options
o Use Dynamic IP Restrictions
o Incorporate URL Authorization In Your Application
o Use Encrypted Forms-Based Authentication
o Use Application Pool Identities
o Isolate/Segregate Web Applications
o Fix Critical IIS Vulnerabilities
Listed below: OWASP IIS 10 Security Configuration Controls
o Basic Configuration
o Disable directory Browsing
o Avoid wildcard host headers
o Ensure application PoolIdentity is configured for all application pools
o Use an unique application Pool per site
o Disable IIS detailed error page from displaying remotely
o Request Filtering
o Configure maxAllowedContentLength
o Configure maxURL request filter
o Configure maxQueryString request filter
o Reject non-ASCII characters in URLs
o Reject double-encoded requests
o Disable HTTP trace requests
o Disallow unlisted file extensions
o Enable Dynamic IP Address Restrictions
o Transport Encryption
o SSL/TLS settings are controlled at the SChannel level. They are set machine wide and IIS respects these values
A list of recommendations for IIS
o Disable SSL v2/v3
o Disable TLS 1.0
o Disable TLS 1.1 o Ensure TLS 1.2 is enabled
o Disable weak cipher suites (NULL cipher suites, DES cipher suites, RC4 cipher suites, Triple DES, etc)
o Ensure TLS cipher suites are correctly ordered
o HSTS support
o IIS recently (Windows Server 1709+) added turnkey support for HSTS
o CORS support
o Implement OWASP IIS CORS configuration module if your application does not natively handle CORS.

Check this link to know more: Server Hardening Service

What is cookie?
Cookies are small text files or messages that a web server passes to the web browser when an internet site is accessed. It can be considered as an identity card. Cookies are created when you first visit a website. Upon each visit to the website again the browser passes the cookie back to the web server. This helps to track web site activity of individuals. A cookie consists of the following 7 components:
o Name of the cookie
o Value of the cookie
o Expiry of the cookie
o Path
o Domain
o Need for a secure connection to use the cookie
o Whether or not the cookie can be accessed through other means than HTTP (i.e., JavaScript)

---