Penetration testing is a process of evaluating information security of the systems using methods, tools and resources that would otherwise be performed by hackers with malicious intent. It involves analysis of any potential vulnerability which may result due to technical flaws or operational weaknesses. The result of the analysis in the form of security issues is presented to the relevant stakeholders with an assessment of their business impact and also with a proposal for mitigation or a technical solution.
Why is Penetration testing important?
Prevent information systems from being intruded through fraud practices.
Substantiate due diligence and standards compliance to relevant stakeholders.
Identify potential security threats and quantify the impact by proposing a mitigation plan proactively.
Preserve customer confidence and business reputation.
Penetration Testing in Web Applications:
Penetration testing in Web applications involves testing a running application remotely, without knowing the inner workings of the application itself, in order to find possible vulnerabilities. To avoid an inefficient approach, the best way to perform is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
Penetration testing helps identify vulnerabilities in web applications which includes technical threats such as URL Manipulation, SQL Injection, Cross site scripting, Back-end authentication, Password in memory, Session hijacking, Buffer overflow, Web server configuration, Credential management, Clickjacking etc., It also paves the way to counteract on threats that arises due to business logic errors namely unauthorized credentials, unauthorized funds transfer, breach of customer trust etc.,
Tools used for Penetration Testing in Web Applications:
Tools should be used for performing a basic security analysis of the system and thus relieving reviewer work burden to an extent which in turn drives down cost. It also generates the test result in the form of security issues which would be used for addressing the mitigation plan.
Some of the tools available in the market are as follows: Nikto - This is an open-source web server scanner which performs comprehensive tests against web servers for detection of potentially dangerous files. Paros proxy – This is an open-source java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change cookies and form fields. It also addresses some of the common vulnerabilities such as SQL injection and cross-site scripting. Spike proxy – This is an open-source HTTP proxy for finding security flaws in web sites. It is part of spike application test suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection and directory traversal detection. Metasploit framework – This is an advanced open-source exploitation tool for developing, testing and using exploit code. Testers can write their own exploit code using the framework model and perform variety of internet vulnerability tests. CoreImpact PRO and Canvas – These are commercially available and powerful exploitation tools which contains large and regularly updated database of professional exploits
Few steps to ensure penetration test is a success:
Gather as much information as possible about the application and the infrastructure it resides on. Perform
an infrastructure-level penetration test to see how the infrastructure is deployed and secured. If the
application server can be exploited, it can give you more leverage in exploiting the Web application
When testing the application, look for any entry points where user input is accepted and dynamic content is
generated. Then, probe these areas for weaknesses in input validation, session manipulation,
authentication and information leakage. If any internal information is leaked, it should be recorded and
used to re-assess your overall understanding of the application and how it works
To better plan a penetration test, use the checklist of Web application vulnerabilities in the Open Source
Security Testing Methodology Manual (OSSTMM) from the Open Web Application Security Project (OWASP)
Because penetration testing depends a lot on the skill of the tester, it is recommended that the staff
acquires certification, such as CPTS (Certified Penetration Testing Specialist)
If u needs more information mail me to firstname.lastname@example.org
Its one type of security testing where we identify any vulnerabilities that are related to these threats. Insert SQL queries, Exe, java scripts in the application and test the behavior of the application.