DEV Community

Cover image for Web App Pentesting on AWS: A Comprehensive Guide
Sidra Saleem for SUDO Consultants

Posted on • Originally published at sudoconsultants.com

Web App Pentesting on AWS: A Comprehensive Guide

Introduction

Overview

Web application security is important, since data has to be kept integral, confidential, and available. In the present day, where the cyber threat keeps rising, securing web applications against vulnerabilities is important to ensure all the above. Penetration testing is proactive, and vulnerabilities can be found and fixed before any exploitation can occur from malicious actors.

Purpose

The objective of this guide is to provide a comprehensive roadmap to our readers on the most common vulnerabilities in web applications, getting them familiar with the tools and services available in AWS, how to pentest a web application, and ensuring all security measures are being carried out. By following this guide, it will be possible to conduct a complete pentest, discover security gaps, and apply effective remediation plans.

Understanding Web Application Security

Common Vulnerabilities

Web applications face different types of vulnerabilities that attackers exploit to cause unauthorized access, data theft, and other forms of unauthorized harm. The most critical web application security risks can be determined by utilizing the OWASP Top 10 standard. During the course of this work, we will get to know some of the common vulnerabilities.

  • SQL Injection:

An SQL injection allows an attacker to execute arbitrary SQL queries on the database through input fields.

  • Cross-Site Scripting [XSS]:

Through this vulnerability, harmful scripts are injected into web pages and thereafter viewed by others.

  • Cross-Site Request Forgery:

The user is forced to execute unwanted actions in a web application in which he is logged in.

  • Insecure Deserialization:

This vulnerability is employed to exploit the application logic by manipulating serialized objects.

  • Security Misconfiguration:

This covers insecure default configurations, incomplete configurations, as well as mishandling of default accounts and credentials.

Security Best Practices

To secure web applications from such vulnerabilities, we need to follow some security best practices, which are as follows:

  • Secure Coding Practice:

Implement secure coding standards to avoid introducing security vulnerabilities during development.

  • Input Validation and Sanitization:

Validate and sanitize all user inputs to avoid injection attacks.

  • Proper Session Management:

Secure session management to avoid session hijacking and session fixation issues.

  • Regular Security Assessment:

Regular security assessment and pentest so that if any vulnerability found, it can be taken care of.

  • Patch Management:

Keep all software, libraries, and dependencies up-to-date with the latest security patches.

Setting Up the Environment

AWS Account Setup

To begin the process of pentesting, we first need to set up our AWS environment. We need to prepare an AWS account, set up IAM roles and permission, and finally set up a test environment.

Console Steps:

  • Open AWS Management Console Open AWS Management Console and log in with your username and password.
  • Create a new IAM User Now, we will go to the IAM service. Under the IAM service click on the option "Users", and then click on the option "Add user". Set the username for the user. For eg provide the username as PentestUser. Select the type of access to be provided to the user, here we select Programmatic access and AWS Management Console access.
  • MFA to the IAM User For more security, put MFA in the enabled state.
  • Create a new Role with Proper Policy Now create a new role with proper policies. Here we take the AdministratorAccess role.

CLI Steps:

  • Install the AWS Command Line Interface
pip install awscli
  • Configure AWS CLI: Configure the AWS CLI with your credentials
configure
  • Create an IAM user
aws iam create-user --user-name PentestUser
  • Attach the AdministratorAccess policy to the user
aws iam attach-user-policy --user-name PentestUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Setting Up a Test Environment

To conduct pentests, you need to have a controlled testing environment where you can exploit vulnerabilities safely without affecting production systems.

Console Steps:

  • Open the AWS Management Console and navigate to the EC2 Service, click on "Launch Instance."
  • Select an Amazon Machine Image (AMI) from the list—for example, Amazon Linux 2.
  • Either create a new security group or use an existing security group that will allow for HTTP (port 80) and HTTPS (port 443) traffic.
  • When the instance is running, connect to it using SSH.
  • Once the instance is running, install a web server (for example, Apache) and deploy a sample vulnerable web application—for example, DVWA.

CLI Steps:

  • Launch an EC2 instance
aws ec2 run-instances --image-id ami-xxxx --count 1 --instance-type t2.micro --key-name MyKeyPair
  • Configure the security group
aws ec2 authorize-security-group-ingress --group-id sg-xxxx --protocol tcp --port 80 --cidr 0.0.0.0/0
  • Use SSH to connect to the instance and set up the web server.

Tools for Pentesting

AWS Tools

AWS provides the following tools, which should be used for pentesting:

  • AWS Inspector:

This is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

  • AWS WAF (Web Application Firewall):

Helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

  • AWS CloudTrail:

This tool enables governance, compliance, and operational and risk auditing of your AWS account.

  • AWS CloudWatch:

This provides monitoring and observability for your AWS resources and applications.

Third-Party Tools

Apart from the native AWS tools, the full pentest requires the following third-party tools:

  • Burp Suite:

An integrated platform for performing security testing of web applications.

  • OWASP ZAP:

An open-source web application security scanner.

  • Nmap:

A network exploration tool and security scanner.

  • Metasploit:

A penetration testing framework that helps security teams verify vulnerabilities and manage security assessments.

Conducting the Pentest

Reconnaissance

This is the first step in pentesting, where you gather information about the target application.

Console Steps:

  • Monitor and log activities in your AWS account so you can identify potentially unauthorized or malicious activities.
  • Perform the vulnerability assessments for your instances.

CLI Steps:

  • Use Nmap to scan for open ports and services:
nmap -A -T4 <target-IP>
  • Use the AWS CLI to review CloudTrail logs for any suspicious activities.

Vulnerability Scanning

Once you have information, the next task is to identify the vulnerabilities in the application.

Console Steps:

  • Set up and Run AWS Inspector to identify vulnerabilities in your instances.
  • Shield your application from common web exploits.

CLI Steps:

  • Start an assessment
aws inspector start-assessment-run --assessment-template-arn arn:aws:inspector:us-west-2:123456789012:template/0-7LbK4XrK
  • Analyze the results of the assessment.

Exploitation

If there's an identification of vulnerabilities, the next step is to exploit the vulnerabilities to understand the impact.

Console Steps:

  • View findings from the AWS Inspector, as well as others in the AWS Management Console.
  • Do safe exploitation in a controlled environment to confirm the vulnerabilities.

CLI Steps:

  • Use Metasploit commands to exploit identified vulnerabilities.
  • Execute payloads against the target application to assess the impact.

Reporting and Remediation

Documenting Findings

Document all findings. After the pentest, all the findings are to be documented, and a detailed report has to be made.

Console Steps:

  • Generate reports from AWS Inspector and other tools.
  • Create a structured report of all findings, which includes screenshots, logs, and evidence.

CLI Steps:

  • Export the findings from AWS Inspector
aws inspector get-findings --assessment-run-arn arn:aws:inspector:us-west-2:123456789012:run/0-7LbK4XrK

Remediation Strategies

After understanding the findings, implement some mitigation strategies.

Console Steps:

  • Patch and Update:

Apply patches and updates to your instances using AWS Systems Manager.

  • Update your Security Groups and IAM Roles:

Update the roles to follow the principle of least privilege.

CLI Steps:

  • Use AWS Systems Manager to update instances
aws ssm send-command --document-name "AWS-RunPatchBaseline" --targets "Key=instanceIds,Values=<instance-id>"

Best Practices and Compliance

Security Best Practices

Implement security best practices to achieve the maximum security of your web applications in the long run.

  • Regular Security Assessments:

Carry out security assessments on a regular basis to detect and fix new vulnerabilities.

  • Continuous Monitoring and Logging:

Make use of AWS CloudWatch and CloudTrail for continuous monitoring and logging of activities.

Compliance Standards

Adhere to industry compliance standards and laws like PCI-DSS, HIPAA, and GDPR.

  • PCI-DSS: Implement security controls to protect the data of cardholders.
  • HIPAA: Ensure privacy and security regarding health information.
  • GDPR: Protect the personal data and privacy of EU citizens.

Resources and Further Reading

AWS Documentation

By now, you should be all set to proceed ahead and conduct.

Top comments (0)