What is Penetration Testing?
A pen test is also known as a penetration test. It simulates a cyber attack on your computer system in order to identify exploitable vulnerabilities. Penetration testing is used in web application security to enhance a Web Application Firewall (WAF).
Pen testing is the attempt to breach any number of applications systems (e.g. frontend/backend server, APIs, application protocol interfaces, network penetration testing, etc.) in order to expose vulnerabilities such as code injection attacks.
The penetration test provides valuable insight that can be used to refine your WAF security policies, and patch any vulnerabilities found.
Stages of Penetration Testing
You can break down the pen testing process into five stages.
1. Planning and reconnaissance
The first stage involves:
- Determining the scope and objectives of a test, including the systems that will be addressed and the testing methods.
- To better understand the workings of a target and its potential vulnerabilities, gather intelligence (e.g. network and domain names, mail server).
Next, you need to determine how the target application pen testing will react to different intrusion attempts. This is usually done by using:
- Static Analysis – This is a way to inspect an application’s code and determine how it behaves during running. These tools allow you to scan all of the code in one pass.
- Dynamic Analysis – This allows you to inspect an application’s running code. This method is more practical and provides an immediate view of the application’s performance.
3. Gaining Access
This stage employs web application attacks such as Cross-Site Scripting, SQL Injection, and Backdoors to expose a target’s vulnerabilities. These vulnerabilities are then exploited by testers. They typically steal data, intercept traffic, and increase privileges.
This stage aims to determine if the vulnerability can still be used to maintain a presence in the exploited systems for long enough to allow a bad actor to gain full access. It is possible to imitate advanced persistent threats which can often stay in a system for several months to steal sensitive information.
Finally, the results of the penetration tests are compiled into a report.
- Several vulnerabilities were exploited
- Access to sensitive data
- The time that the pen tester could remain in the system without being detected
Security personnel uses this information to configure WAF settings for an enterprise and to protect against future attacks.
Methods for Penetration Testing
External penetration tests are designed to target assets that can be seen on the internet. These include the website itself, website penetration testing, company websites, email servers, domain name servers (DNS), and web applications. The objective is to extract valuable data and gain access.
A tester who has access to the application penetration testing behind its firewall simulates an attack from a malicious Insider in an internal test. It is not necessary to simulate a rogue employee. An example of a common scenario is an employee whose credentials have been stolen by a Phishing attack.
Blind testing allows pen testers to only be given the name and address of the target enterprise. This allows security personnel to see how an actual attack would unfold.
Security personnel are blinded to the attack and have no prior knowledge. They won’t have time to strengthen their defenses in the real world.
This scenario allows both security personnel and testers to work together, keeping each other updated on their movements. This training exercise is valuable and provides security personnel with real-time feedback, from the hacker’s perspective.
Web Application Firewalls and Penetration Testing
Both penetration testing and WAFs can be used to enhance your security.
The security tester will likely use WAF data (such as logs) to find and exploit the weak points of an application for many types of pen testing, with the exception of double-blind and blind.
Administrators of WAFs can also benefit from pen-testing data. To protect against any weak spots found during a test, the WAF configurations may be updated after the test is over.
Pen testing also meets some compliance requirements for security auditing procedures such as PCI-DSS and OOC 2. Some standards, like PCI-DSS 6, can only be met by certified WAFs. Pen testing is still useful because of the above benefits and the ability to improve WAF configurations.
What is a Penetration Testing Methodology?
A penetration testing methodology is how a test is conducted and organized. There are many methods for identifying security weaknesses within an organization. Each methodology describes the steps a company might take to find these vulnerabilities. Companies can create their own processes but there are many industry-recognized methods that organizations can use. These methods can be used by some organizations as an “out-of-the-box” solution while others are used as a foundation to build upon.