Web Application Security Audit Methodology

Today we will talk about the methodology for testing the penetration of web applications. One of the methods for auditing a website is BlackBox penetration testing (BlackBox - “black box”), in which the specialist has only publicly available information about the purpose of the study.

This method uses a model of an external attacker, motivated to hack a certain web site for commercial gain or from hooliganism. About the system under investigation is usually nothing in advance, except for the company name and website address, is unknown. In the context of this article, both the behavior of the attacker and the pentester will be considered, the legitimacy of which is confirmed by the audit client. Audit confirmation can occur in different ways - both by an information letter indicating the object of audit (and exceptions), and with the help of special markers directly on the attacked site.

For a complete picture of the attack on the site and the actions of IT / IB departments, it is highly recommended not to inform the latter. With this, the customer can check the readiness of their employees to respond to information security incidents.
')
The main objectives of penetration testing:

• Analysis and verification of the security of the Web server architecture;
• identifying, evaluating and attempting to exploit (as agreed with the customer) all possible vulnerabilities in the Web application;
• description of attack vectors and risk assessment;
• providing recommendations on how to improve information security of a web application.

The main tasks of the attacker:

• access to critical data;
• disabling the site;
• monetization / profit.

Despite the divergence of goals, most of the work methods of the attacker and pentester coincide. When attacking, the attacker usually does not attach much importance to moral and ethical standards, such an attack can lead to irreversible destructive consequences. During the audit, the legitimate penters agree on the availability of backups and the risk of destructive consequences is reduced to a minimum (especially if the customer has the opportunity to deploy a test stand).

Attackers usually follow the path from simple to complex: they reveal obvious vulnerabilities with the help of popular utilities and scanners and try to exploit the revealed vulnerabilities. In parallel, they can conduct phishing attacks with the distribution of malicious files or links. The main goal is to obtain the necessary data with minimal effort.

Pentesters handle all possible vulnerabilities and attack vectors, including using social engineering methods (if agreed with the customer), but without malicious attachments. Additionally, business processes and business logic manipulation of the application can be explored.

The main methods of audit are similar to the actions of an attacker and include:

• Exploration and collection of information about the system being attacked: special search queries (google dork), detection of email addresses of employees, company profiles on job sites (for vacancies, you can determine the technologies used), search for information in the search engine cache, port scanning;
• Identification of site protection tools - IDS / IPS / AntiDDoS / WAF systems;
• Scanning a web application with popular utilities and scanners - there is a fairly wide choice of both paid and free programs, for example, the w3af web scanner;
• Scanning web site directories to search for sensitive information (files, database backups, etc.) - for example, with the dirbuster utility;
• Manual vulnerability analysis - with the help of proxies, requests are processed and analysis for potential vulnerabilities, one of the popular utilities is Burpsuite.

These methods include the following steps:

• Passive information gathering;
• Definition of web environment and platform;
• Determining the type of CMS;
• Port scan / banner collection;
• Automatic scans;
• Data analysis;
• Definition of "bottlenecks" of the resource;
• Manual analysis;
• Collection and analysis of the information received;
• Analysis of attack vectors;
• Confirmation of received vectors;
• Compilation of a report.

The obtained vectors are analyzed and checked, the detection time is fixed, because the personnel of the customer cannot detect abnormal activity by analyzing, for example, access log and implementing measures to quickly eliminate vulnerability or attack. Found authorization forms or services are subject to so-called. bruteforce-attack (password matching).

In the case of pentesters, the data is aggregated into systems of the Dradis type to analyze and optimize the information obtained. Based on the obtained data, a report is generated, distributed among vulnerable services, with a detailed description of vulnerabilities, attack scenarios consisting of several vectors, risk assessment and recommendations for their elimination.

Only with a full and responsible audit, the customer gets the most realistic picture of the maturity of the information security system of his website .