OWASP | Web Application Penetration Testing

What is OWASP?
OWASP (Open Web Application Security Project) was founded in 2001 as an open-source project. In 2004, it evolved into the OWASP Foundation, a non-profit organisation that aims to highlight the dangers and help developers around the world to secure the applications and devices we consume. The OWASP Foundation is made up of companies, educational organisations, and individuals, who bring together effort, knowledge, and consensus on how to perform tests quickly, accurately, and efficiently.

Initially the focus was on web security threats. However, over time, it incorporated technologies that have become fundamental in our societies.

Thus, the scope now includes the web, mobile, IoT devices, application programming interfaces (APIs) and privacy risks.

OWASP has produced several guides that together make a great knowledge base on application security:

• Frequently Asked Questions on Web Application Security (OWASP FAQ)
• Secure Development Guide (OWASP Development)
• OWASP Testing Guide (OWASP Testing Guide)
• OWASP Code Review Guide (OWASP Code Review)
• OWASP TOP-10 (Top 10 Web Application Risks)
• OWASP Mobile Security (OWASP Mobile Security)
• How to detect and respond in real time to application attacks
• Application Security Verification Standard

These guides have become extremely useful tools for companies, guiding them when testing the security of web applications and web services, prioritising vulnerabilities, and providing solutions to combat them. Created through the collaborative efforts of cybersecurity professionals and dedicated volunteers, they provide a framework of best practices used by testers and organisations around the world.

Executing the security tests in the OWASP testing guidelines ensures that software and web applications are free of vulnerabilities, threats, and risks that could cause serious harm to businesses.

The OWASP web application penetration testing methodology is based on a black box approach and allows the security of an application to be assessed by simulating an attack. When vulnerability points are detected, through which a malicious user could perform an attack, the security issue will be reported, and its impact will be evaluated in order to propose a technical solution.

OWASP has established 10 subcategories for web application penetration testing:

Information Gathering

This is a necessary step in a penetration test. All the information about the application to be tested is collected to understand it and how the user or browser communicates with it. It can be carried out by means of:

• Spiders, Robots, and Crawlers.
• Recognition through search engines.
• Identification of application entry points.
• Testing for signatures of Web Applications.
• Application discovery.
• Error code analysis.

Configuration management testing

Analysing the infrastructure or architecture topology can reveal important information about a Web application. This can identify vulnerabilities or configuration flaws that may exist throughout the application architecture.

They will be carried out by:

• SSL/TLS testing.
• DB listener receiver tests.
• Infrastructure configuration management testing.
• Application configuration management testing.
• File extension management.
• Legacy, backup, and unreferenced archives.
• Infrastructure and application management interfaces.
• HTTP and XST methods.

Authentication Tests

These tests attempt to confirm or verify the digital identity of the sender of a communication. For example, if the information entered by a user in a web form is done using protocols, etc. By understanding how the authentication process works, the authentication mechanism can be breached.

The tests are:

• Transmission of credentials through an encrypted channel.
• Enumeration of users.
• Dictionary tests on User accounts or default accounts.
• Brute force testing.
• Bypass authentication system.
• Testing Vulnerable password reminder/restoration systems.
• Testing Vulnerable password reminder/restoration systems.
• Testing of Browsing Cache and logout management.
• CAPTCHA testing.
• Multiple authentication factors.
• Testing for adversarial situations.

Session management testing

A web application can interact with a user in different ways, depending on the server and the security and availability requirements of the application.

The session management of a web application goes from the time the user enters the web application and authenticates to the time the user exits the application. If done via HTTP, this is a stateless protocol. That is, it responds to client requests without linking them together. In order to be able to associate these requests with each other, a “Session ID” or Cookie is required.

With these tests, it is possible to verify how the Session Management mechanism has been developed and once understood, to break it, jump the user session and thus breach it.

• Vulnerability tests for the session management scheme.
• Vulnerability testing for session attributes.
• Vulnerability testing for session fixation.
• Vulnerability testing for exposed session variables.
• Vulnerability testing for CSRF.

Authorisation Testing

Authorisation comes after successful authentication has been performed, so it starts from that point. This testing provides an understanding of the authorisation process and how the authorisation system can be bypassed, making it vulnerable. Cross-path tests will be performed to access reserved information, tests to bypass the authorisation scheme and access reserved functions or resources, and privilege escalation tests to check that a user cannot access more functionalities than he/she has been assigned.

Testing of business logic

Business logic may contain security flaws that allow a user to do something not allowed by the business. Attacks on the business logic of an application are dangerous, difficult to detect and application specific. If the tester is external to the business, you will need to use common sense and ask the business whether the application should allow different operations. When applications are very complex, you will need more information from the application and you will logically have to ask the customer for this information to understand it before you start testing. Developers can also help by providing the necessary explanations regarding the functionality of the application. With OWASP this can be done in a systematic way, which consists of:

• Understanding the application.
• Create raw data to design logic checks.
• Designing the logic checks.
• Standard prerequisites.
• Execution of logic checks.

Data validation testing

In web application security, the most common weakness is the lack of proper validation of client or application environment inputs. This weakness leads to almost all major vulnerabilities in applications, such as:

• Data integrity vulnerability: The attacker manipulates data by intentionally entering erroneous data that manipulates the business function.

• Data format violation: An attacker manages to enter data without correct syntax, out of length limits, containing disallowed characters, with incorrect sign or out of range limits. This causes the application to malfunction.

• Buffer or memory overflows: When the amount of data exceeds the pre-allocated memory capacity, that excess data is stored in adjacent memory areas, overwriting its original contents, and causing a crash.

The data entered by the client should never be trusted, as it has every possibility to manipulate the data. Ensure that the application is robust against all forms of data input, whether obtained from the user, the infrastructure, external entities, or database systems.

With these tests you will see all possible forms of input validations. And it will be possible to establish whether the application is resilient to any form of data input.

Denial of Service testing

When communication between the server and the valid user cannot be established, it may be because access is denied. This could be caused by a malicious user flooding a machine with enough traffic to make it unable to sustain the volume of requests it receives.

Denial of service can be due to:

• SQL wildcard attacks.
• Attacks to lock out user accounts by repeatedly logging in with the wrong password.
• Buffer overflows
• Exhausting server resources by allocating a large number of objects to the server.
• Reducing its performance by looping user logins.
• Failing to release resources.
• Saving large amounts of data even on local disks.
• Exhausting the server’s resources by filling its entire memory.

Web Services Testing

Web services and SOA (Service Oriented Architecture) are growing applications that are enabling businesses to interoperate and grow at an unprecedented rate. Web services clients are generally not web front-ends, but other servers. Web services are exposed to the network like any other service, but can be used over HTTP, FTP, SMTP or accompanied by any other transport protocol A web service is a software system designed to support machine-to-machine interaction, over a network, in an interoperable manner. It has an interface described in a computer-processable format (specifically in WSDL), through which it is possible to interact with it, by exchanging SOAP messages, transmitted using XML serialisation over HTTP in conjunction with other web standards. Weaknesses in web services are similar to other vulnerabilities such as SQL injection, information disclosure, etc., but also have XML vulnerabilities.

The following sections describe the tests to be performed on web services:

• Obtaining Information in Web Services
• WSDL Testing
• Structural XML Testing
• Testing XML at the content level
• HTTP GET/REST parameter testing
• Malicious SOAP Attachments
• Replay Testing

Testing AJAX

(acronym for Asynchronous JavaScript and XML), is a term that describes a way of using several existing technologies at the same time: HTML, XHTML, CSS, JavaScript DOM, XML, XSLT or XMLHttpRequest. When these technologies are combined in an AJAX model, you can achieve web applications that are able to update together without having to reload the entire page. This creates faster and more responsive applications. The benefits that can be achieved are enormous, but from a security point of view they are more exposed to attack than conventional web applications, as AJAX applications span between the client and the server as opposed to traditional websites that exist only on the server.

As a relatively recent technique, many security issues have not yet been investigated, but the following may affect such AJAX applications:

• Larger attack surface, with more entry points to protect.
• Exposed internal application functions.
• Client access to third-party resources without built-in security and encryption mechanisms.
• Failure to protect authentication and session information.

SIPSA’s quality and testing teams work to achieve the highest levels of software quality, focusing on test cases definition from the earliest stages of the product life cycle, thus helping to prevent, identify and solve vulnerabilities or defects as soon as possible. Very often the stress level of organizations, when it comes to meeting deadlines, is so high that the development team has to prioritise functionality over security. The reality is that there is no point in delivering a product that does not satisfy the end user in terms of both functionality and security. This is where automation becomes extremely important, as by automating we provide greater test coverage and greater efficiency.

With TAST | Test Automation System Tool, test automation is maximised throughout the whole process from the end-user perspective, being a key piece for DevOps acceleration. It is easy to use, no programming skills are required and its interface defines automated test cases across all technology platforms.

Soon we will share on our Youtube channel and Vimeo examples of TAST where we desing test cases that test the security/vulnerability of the login to several websites, following the OWASP standard.

Let’s learn how to prevent and apply all the necessary means; human, technological and economic, in this prevention.

Contact us by clicking here