As we highlighted last year, hacks on e-commerce platforms have been rapidly increasing since the introduction of EMV cards, with web-application based payment card fraud set to overtake traditional payment fraud in the not so distant future, according to Verizon’s 2019 Data Breach Investigations Report. You may remember that the highly publicized Equifax breach could have been prevented if a web application vulnerability had been patched two months prior to the compromise, when the patch had first become available.
If your organization uses web applications to store, process, or transmit sensitive data, those systems could be vulnerable to hackers. Even if you use a third-party vendor for the actual handling of payment card information, you may still fall victim to a host of vulnerabilities and attacks on your organizational websites that can lead to data compromise. One of the best ways to help identify any potential issues, and also provide a real-world look at the risk and potential impact to your organization, is through web application penetration testing.
A web application penetration test is a simulated attack on web-based software applications. This testing can identify weaknesses within the environment or be used to demonstrate the resilience of an application to attack.
Web application penetration testing does typically start with an automated web application vulnerability scan, however, automated testing simply can’t find every flaw. In a comprehensive web application pen test, offensive security experts will leverage human logic and knowledge, as well as real-time research of the latest vulnerabilities in an attempt to gain increased access to the deeper layers by performing tests similar to tactics an attacker may employ. Manual actions performed may include creating accounts, code analysis, additional intelligence gathering (both from the application and other publicly available information), and password attacks based on elements that are unique to the organization being tested.
The penetration testers will be able to deploy methods to identify:
- Cross Site Scripting
- SQL Injection
- Broken authentication and session management
- Improper error handling
- File Upload flaws
- Caching Servers Attacks
- Security Misconfigurations
- Insecure implementation or usage of third-party components
- Cross-Site Request Forgery
A web application penetration test will answer the following:
- Can an attacker gain access to the website or email server?
- Can one user gain access to information of other users?
- Can a lower privileged user gain access to elevated permissions or administrative rights?
- Can an attacker tamper with site parameters?
Following a test, reports should document the methodology used for testing, details on any identified vulnerabilities, how and where issues were found, and severity of any problems. Suggested remediation efforts should also be included. After your organization has corrected any identified vulnerabilities, it is important to have a re-test performed to ensure all vulnerabilities have been remediated.
As you are evaluating your need to have a web application penetration test performed or researching potential vendors for performing these tests, please ensure that you are hiring credentialed penetration testers. Common certifications for web app pen testing include OSWE (Offensive Security Web Expert), GWAPT (GIAC Web Application Penetration Tester), CWAPT (Certified Web App Penetration Tester), and OSCP (Offensive Security Certified Professional). Be wary of vendors that sell penetration testing services but only deploy the use of automated scanning tools. Verifying that an expert, credentialed team of penetration testers will be manually testing systems, in a similar fashion to how a hacker might try to infiltrate your environment, is critical for your test.
If your organization has a public-facing web application, Requirement 6.6 of the PCI DSS, does require that new threats and vulnerabilities are addressed on an ongoing basis and tested annually, or that automated technical solutions for detecting and preventing web-based attacks have been installed. If you have questions about your web applications and potential risks for compromise, please reach out to us.
Additional guidance from our Offensive Security Team below:
[Roell]: The web application ecosystem is becoming more advanced and complex every day as new applications and technologies are introduced. While organizations can leverage and integrate with third-party applications to achieve business goals, they must be aware of the risks that may be present in doing so. Organizations must perform appropriate security testing of their web applications and verify that third-party application vendors are doing the same. Flaws in vendor software can expose your data and operations to unnecessary risk if proper security testing is not verified.