Application penetration Testing is when we break applications to make them stronger.
Application penetration testing is a process designed to identify application level vulnerabilities. It is done using unauthenticated and authenticated users. Typically, the testing team will require access to accounts with each level of privilege supported by the application.
The process starts with reconnaissance about the application, pages, types of requests, data, and users. The test goes one step deeper with tools that “fuzz” forms within the application. This practice sends requests that attempt XSS, SQL Injection, CSRF, and other types of vulnerabilities. Subsequent steps involve capturing requests and replaying them with manually altered data to check for things like Broken Access Control, SQL Injection, XSS, Session Management and other items that can’t be confirmed in an automated scan.
An application penetration test includes tool-based spidering, scanning and fuzzing. We use the commercial tool Burp together with open source tools such as ZAP, sqlmap, and others to generate and mutate potentially malicious traffic. It also includes extensive manual analysis which is characterized by capturing and replaying requests and attempting intrusion using an attack proxy such as Burp. By interacting with the application in ways similar to real users, we attempt to identify deficiencies that map to the OWASP Top 10, the SANS Top 25 and a custom checklist developed over our 10+ years in the industry.
How The Process Works
The general process when conducting penetration tests is as follows:
- Client provides specific scope, including target URL’s and credentials.
- Jemurai performs testing over the agreed period. In the event that there is a serious finding or we have questions, we will reach out to the escalation point via email or phone to discuss.
- Jemurai prepares and delivers the report, including the formal report and the evidence.
- Jemurai conducts a “Read Out” call with the Client team to ensure that the findings and remediation steps are clear. In some cases, this can result in a discussion that could clarify the severity of a reported finding. In that case, Jemurai will update the report to reflect that.
- Client may choose to remediate findings and have Jemurai retest to ensure that the fixes work. Jemurai agrees to retest up to 10 specific findings during one retest window in the 90 days subsequent to the initial test at no additional fee. Note that the retest itself is not a comprehensive penetration test but a point by point retest of the items that are remediated.
- Subsequent to any retesting, Jemurai will update the report to reflect remediations.
The core deliverable is a PDF report containing findings from the penetration test, including details about the issues identified and remediation recommendations.
Jemurai will also perform a “readout” call to explain any findings or answer questions and provide weekly status updates during the testing if applicable.