Web App Penetration Testing Services
VAPT Process
Valency Networks is one of the top cyber security companies in India. That is purely because of the experience and expertise that we bring in, to help our customers fix their cyber security problems. The secret of being a best VAPT vendor is due to a systematic and yet agile approach we follow, to test website or web application security. This helps our customers gain an extremely accurate and elaborate results along with a knowledge base and years of experience on the subject matter. We follow OWASP Top 10 standard to find and report vulnerabilities.
While performing the web application penetration testing, we follow an elaborate and technical checklist of attacks. It is called as Web server Security Attacks Checklist , and is updated regularly, as the attack vectors for web applications change over the period of time.
Before Testing Starts
Sign NDA
Freeze on scope
Study Cloud App Architecture
Study Cloud User Roles
Decide attack vectors and prioritize
Allocate single point of contact
During Testing
Black box testing
Gray box testing
Automatic and Manual Testing
Testing Phases
Reconnaissance
Scanning
Gaining Access
Maintaining Access
Covering Tracks
Gathering Logs
After Testing
Analyse logs
Confirm results
Apply Knowledge
Apply Experience
Repeat Test if required
Testing Outcome
Detailed technical report (OWASP Top 10 Standard)
Executive summary
High level fixation solutions
Certificate of testing completion (optional)
Web App VAPT Process
Before Testing Starts
Sign NDA
This is essential to give a confidence to our customers. When they sign NDA, we follow it strictly and customers are convinced that we are the right VAPT vendor for them.
Freeze on scope
We freeze on scope of the testing to ensure that there is no confusion in customer’s mind. Our scoping process includes a technical consultancy in cyber security space. This helps customers understand our role as an expert in the subject matter of pentesting.
Study Web App Architecture
We perform a detailed review of the web applications architecture. Customers usually want us to treat is as VAPT consultants, more than just as VAPT testers. The web security architecture review is not mandatory, but it helps customers understand our perspective about the entire VAPT approach, and VAPT methodology.
Study Web User Roles
Typically web applications have more than 1 roles. They have admins, non-admins and many other roles based on the business aspect of the application. Penetration testing includes many critical attacks such as SQL injection, privilege escalation etc which expose the authorization vulnerabilities in the web app. We study these roles to understand the app better.
Decide attack vectors and prioritize
At this point we as VAPT consultants have gathered adequate information to proceed with the testing. We discuss internally about the various attack vectors and techniques that we are planning to use for pentesting of the web application. In almost all cases we discuss these with the customers, to ensure that their experience about the testing also is taken into account.
Allocate single point of contact
Finally we allocate a single point of contact who heads the pentesting effort from Valency Networks. This commences the testing with the point of contact on customer’s side.
During Testing
While performing the web application penetration testing, we follow OWASP Top 10 standard to find and report vulnerabilities along with which we also perform an elaborate and technical checklist of attacks. During the testing phase, our certified and endorsed penetration testers perform black box, gray box, manual and automated testing. As a VAPT service provider, we use automated tools too, but in order to mimic the real-life hackers our expertise is in performing manual testing approach by using pre-validated and highly technical test cases. This makes us one of the Top VAPT companies in India or the best vapt company near you.
Test Approaches
- Black box testing
- Gray box testing
- Automatic and Manual Testing
Pentesting Process
Pentesting is a technical outcome of years of experience and expertise. While there are tons of case studies of cyber security testing with Valency Networks, as a gist we can say that while testing security of a web application, one should first understand the business logic of the application and its flow. After which the purpose of the application is understood. On learning the basic information of the application, we move on to the technical part of finding the application's system setup, as in, the environment, OS and web server the application is running on. Then the security test of the web application starts on these bases by following the OWASP Top 10 standard to find, and report vulnerabilities along with which an elaborate and technical checklist of attacks is also performed.
Data collection
Various methods including Google search and Google Dorks are used to get target system data. One can also use web page source code analysis technique to get more info about the system, software and plugin versions. There are many free tools and services available in the market which can give you information like database or table names, databse versions, software versions, hardware used and various third-party plugins used in the target system.
Vulnerability Assessment
Based on the data collected in first step one can find the security weakness in the target system. This helps penetration testers to launch attacks using identified entry points in the system.
Vulnerability Exploitation
This step requires special skills and techniques to launch attack on target system. Experienced penetration testers use their skills to launch attack on the system.
Result analysis and report preparation
After completion of penetration tests detailed reports are prepared for taking corrective actions. All identified vulnerabilities and recommended corrective methods are listed in these reports. You can customize vulnerability report format (HTML, XML, MS Word or PDF) as per your organization needs.
Exploit Categories
- Web server exploits
- Web service exploits
- Authentication problems
- Configuration problems
- Database related problems
- Scripting related problems
- More details
Vulnerabilities Detected
• SQL Injection
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Forms Input Forgery
• Code Injection
• Cookie Poisoning
• 400+ other vulnerabilities
• Details on each attack
Standards Followed
• OWASP Top 10 – 2021
• CVSS (write a paper)
After Testing
• Analyze logs
• Confirm results
• Apply Knowledge
• Apply Experience
• Repeat Test if required
Outcome of Testing
• Detailed technical report (OWASP Top 10 Standard)
• Executive summary
• High level fixation solutions
• Certificate of testing completion (optional)
Web Pentesting : Automated VAPT and Manual VAPT
VAPT (Vulnerability Assessment and Penetration Testing) is a critical process for assessing the security of web applications. It involves identifying vulnerabilities and weaknesses in the application's infrastructure, code, and configurations. VAPT can be conducted through automated tools, manual testing, or a combination of both. Here are the features of both automated and manual VAPT for web applications:
Automated VAPT:
• Speed and Efficiency: Automated tools can quickly scan large portions of the application, making them efficient for identifying common and well-known vulnerabilities.
• Scalability: These tools can be easily applied to multiple applications simultaneously, which is especially useful for organizations with a large number of applications to test.
• Coverage: Automated tools can cover a wide range of vulnerabilities and issues, including those that might be time-consuming for manual testers to find.
• Repeatability: The tests can be run repeatedly, ensuring that vulnerabilities remain fixed and no new ones are introduced during development.
• Consistency: Automated scans follow predefined scripts or algorithms, reducing the chances of human error that can occur in manual testing.
• Baseline Testing: Automated scanning can establish a baseline for known vulnerabilities, allowing manual testers to focus on more complex issues.
• Cost-Effective: Automated testing can be more cost-effective for identifying common vulnerabilities, as it requires less human resources compared to manual testing.
Limitations Automated VAPT:
• False Positives/Negatives: Automated tools can produce false positives (reporting issues that aren't actually vulnerabilities) and false negatives (missing actual vulnerabilities).
• Lack of Context: Automated tools might not understand the application's specific context, leading to incorrect assessments of potential vulnerabilities.
• Limited to Known Vulnerabilities: Automated tools are primarily designed to detect known vulnerabilities and might miss zero-day exploits or custom vulnerabilities.
• Complex Vulnerabilities: Advanced vulnerabilities that require manual analysis to identify might be overlooked by automated scans.
Manual VAPT:
• In-depth Analysis: Manual testing involves a human tester who can deeply analyze the application, understand its context, and identify complex vulnerabilities that automated tools might miss.
• Custom Scenarios: Testers can create custom scenarios that mimic real-world attack techniques specific to the application.
• Contextual Understanding: Testers can interpret findings in the context of the application's unique architecture and business logic.
• Creative Testing: Human testers can employ creative thinking and adaptive approaches to uncover vulnerabilities that automated tools cannot predict.
• Zero-day Vulnerabilities: Manual testers have a better chance of discovering unknown vulnerabilities, including zero-day exploits.
• Verification: Manual testers can verify the severity of vulnerabilities and eliminate false positives before reporting them.
Limitations of Manual VAPT:
• Time-Consuming: Manual testing is more time-consuming, making it less efficient for large-scale applications.
• Human Error: Manual testing can introduce human error, both in the testing process and in analyzing results.
• Subjectivity: Findings might vary between different testers due to individual skills, knowledge, and experiences.
Difference between Web VAPT & Web Scanning
Web VAPT (Vulnerability Assessment and Penetration Testing) are two important processes which involve scanning of the network, detecting its risks or vulnerabilities and thereby mitigating the same through various systematic procedures. Vulnerability assessment analyses the security weaknesses in overall network and suggests the level up to which a network can be attacked by a malicious intruder. Accordingly, a detailed report is generated and mitigation strategies are planned. Web VAPT (Web Application Penetration Testing) is an essential step in security because it generates trust of the customer in an organization and certifies it as a secure service provider.
It is important to know that web application scanning is very different from web application pentesting. Although web scanning is one of the steps in the web VAPT process, it is imperative to understand that web vapt includes the pentesting part which is way deeper and technical, than the mere scanning part.
Web vulnerability scanner is an automated tool that scans web applications to find out vulnerabilities such as poorly configured server designs, injection attacks and more. There are 2 types of scanners available.
Dynamic Application Security Testing (DAST): It is a type of security testing that involves testing an application from the outside while it is running with little to no knowledge of that application.
Static Application Security Testing (SAST): It is a type of security testing that involves testing an application from within meaning testing the code itself to find out flaws such as usage of wrong functions, buffer overflow, error handling and more.
To read more about these attacks Web Application Security Testing Services
Web Security Testing OWASP Top 10
OWASP A1- Broken Authentication
Applications usually make use of name or key of an object to process web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code review helps in analyzing if the authorization is properly implemented.
To achieve this, consider:
• Whether the application is verifying the user is authorized to access the resource that has been requested?
• If the reference is an indirect reference, does the mapping to the direct reference fail to limit the values to those authorized for the current user?
• Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and checking if they are implemented securely. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.
OWASP A2 – Cryptographic Failures
The most common flaw is simply not encrypting sensitive data. When crypto is implemented, weak key generation and management, weak algorithm usage, weak password hashing techniques are most commonly found vulnerabilities. Client-side vulnerabilities are very common and easy to detect, but hard to exploit on a large scale. It’s important to determine which data is sensitive enough that requires extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data:
• Ensure to not store data in clear text for long term, including backups of such data.
• Ensure data is not transmitted in clear text, internally or externally.
• Ensure old / weak cryptographic algorithms are not being used.
• Ensure weak crypto keys are not generated, and proper key management and rotation is set.
• Ensure browser security and headers are configured.
OWASP A3 - Injection
Injection vulnerabilities are found when an application sends untrusted data to server or database. They are mostly prevalent, particularly in legacy code. They are found in SQL, LDAP, Xpath, NoSQL queries, OS commands, XML parsers, SMTP Headers, etc. Scanning tools and fuzzers help attackers find injection vulnerabilities. Which is exploited my hackers that results into data loss or corruption, lack of accountability, or denial of access. Sometimes these injection attacks can also lead to complete host takeover.
One of the ways by which you can verify if your application is vulnerable to injection attacks or not is by sanitizing untrusted data from the command or query. For SQL calls, sanitization can be done by using bind variables in all prepared statements and stored procedures, thus avoiding dynamic queries.
Refer to Web VAPT Security Case Studies
OWASP A4 - Insecure Design
Insecure design is a category which represent weakness or ineffective control design. There is a difference between Insecure design and Insecure implementation. Which means a secure design can still have implementation defects which leads to different vulnerabilities. Secure design is constantly evaluating threats and code is design robustly to prevent from known attacks.
Below are the preventions to secure application from this attack –
• Limit resource usage by user or service
• Implement secure development lifecycle
• Use threat modeling for during testing
OWASP A5 – Security Misconfiguration
Security misconfiguration can take place at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured securely. Following things should be taken into account…
• Is your application missing the proper security hardening across any part of the application stack?
• Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries
• Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)?
• Are default accounts and their passwords still enabled and unchanged?
• Does your error handling reveal stack traces or other overly informative error messages to users?
• Are the security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
OWASP A6 – Vulnerable & Outdated Components
Virtually every application has these issues because most development teams don't focus on ensuring their components/libraries are up to date. In most of the cases, developers are not aware of all the components they are using, let alone versions. Component dependencies make things even worse. The full exploitation of vulnerabilities such as injection, broken access control, XSS, etc. are possible. The impact of this can very from minimal to complete host takeover and data breach. You need to consider what each vulnerability might mean if the application is controlled by an affected application.
OWASP A7 – Identification & Authentication Failure
Developers these days frequently develop custom authentication and session management, but are not aware of the security implementation of the same. As a result, these custom schemes frequently result into vulnerabilities in areas such as login, password management, timeouts, remember me, secret question, account update, etc.
You may be vulnerable if,
• User authentication credentials aren’t protected when stored using hashing or encryption.
• Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
• Session IDs are exposed in the URL (e.g., URL rewriting).
• Session IDs are vulnerable to session fixation attacks.
• Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
• Session IDs aren’t rotated after successful login.
• Passwords, session IDs, and other credentials are sent over unencrypted connections.
OWASP A8 – Software & Integrity Failures
Applications do not always protect application functions properly. Sometimes, functional level security is managed effectively via configurations, but the server or system is misconfigured. Detecting such flaws is easy. Such vulnerabilities let hackers gain unauthorized access of functionalities. Administrative accounts are hackers main targets for this type of attack, considering the business value exposed in those accounts and the data they process. Mainly you need to consider the impact to your reputation if this vulnerability became public.
Few ways by which you can find out if your application has failed to properly restrict functional level access is by verifying the following:
• Does the UI show navigation to unauthorized functions?
• Are server-side authentication or authorization checks missing?
• Are server-side checks done that solely rely on information provided by the attacker?
OWASP A9 - Security Logging & Monitoring Failures
Under this Security Logging & Monitoring it helps to detect, escalate and respond to active breaches. Breaches and incidents cannot be detected if logging and monitoring are not implemented. Any incident can take place anytime. Following auditing and monitoring if not in place implement them immediately-
• Auditable events, such as logins, failed logins, and high-value transactions, are not logged.
• Warnings and errors generate no, inadequate, or unclear log messages.
• Logs of applications and APIs are not monitored for suspicious activity.
• Logs are only stored locally.
• The application is vulnerable to information leakage by these logging and alerting events visible to attacker.
• To prevent application from such attacks developer should implement controls depending upon the application risk.
• Ensure log data is encoded correctly to prevent injections, malicious activity or attack on the logging and monitoring system.
• Ensure high-value transactions have an audit trail with integrity controls to prevent modification or deletion, such as append-only database tables, etc.
• Establish an incident response and recovery plan.
Refer to a knowledge article on Web App Security Testing Benefits
OWASP A10 – SSRF
SSRF i.e., Server-side request forgery. In this attack, it allows attacker to send unwanted/malicious requests to another system through a vulnerable server. Web applications most triggers the requests between the HTTP servers. Which are used to fetch remote resources software update, fetch the metadata from remote URL, etc. If the application is not handled properly for SSRF then it may lead to major risks such as -
• Sensitive Information Disclosure
• Enable unauthorized access to internal systems
• Open the way to more dangerous attacks
• SSRF may enable an attacker to perform arbitrary command execution
This attack enables an attacker to read server configuration such as AWS metadata, connect to internal services like HTTP-enabled databases or perform POST requests towards internal services that are not intended to be exposed, by carefully selecting the URLs. Also, they can bypass IP whitelisting and host-based authentication services, perform port scans on the internal network that the server is connected to, view status pages and interact with APIs as the web server, and retrieve sensitive information such as the IP address of a web server running behind a reverse proxy.
