Web Application Penetration Testing Training 4

1
SECURIUM FOX offers cyber security consultancy
services with its expert and experienced team. We
are providing consulting services to prevent
cyber attacks, data leak and to ensure that our
customers are ready and safe against cyber
attacks, with more than 15 years of
experience.In addition to pentests and
consulting services, SECURIUM FOX prepares its
customers and field enthusiasts for real life
scenarios by providing trainings in the lab
environment which was prepared by themselves,
with its young, dynamic and constantly following
team.Everytime that hackers are in our lives,
there are always risks that we can face with a
cyber attack. Over the years cyber security has
become a critical precaution for all
organizations and companies after the effects and
number of attacks. SECURIUM FOX tests the weak
points of customers for possible attacks and
provides consulting services to eliminate these
weak points.SECURIUM FOX team also offers
support for the development of our country in
this field by supporting free events being
organized as a volunteer by the Octosec team.
ABOUT US
2

• WEB APPLICATION SECURITY AND PENETRATION TESTING
  TRAINING

3
Getting Started with Web Application Penetration
Testing

• Pen Test is the most commonly used security
  testing technique for web applications.
• Web Application Penetration Testing is done by
  simulating unauthorized attacks internally or
  externally to get access to sensitive data.
• A web penetration helps end user find out the
  possibility for a hacker to access the data from
  the internet, find about the security of their
  email servers and also get to know how secure the
  web hosting site and server are.

4
In this penetration testing tutorial I have tried
to cover

• The need of Pentest for web application testing,
• Standard methodology available for Pentest,
• Approach for web application Pentest,
• What are the types of testing we can perform,
• Steps to be taken to perform penetration test,
• Tools which can be used for testing,
• Some of the penetration testing service Providers
  and
• Some of the Certifications for Web Penetration
  testing

5
Why Penetration Testing is required

• When we talk about security, the most common word
  we hear is Vulnerability.
• When I initially started working as a security
  tester, I used to get confused very often with
  this word Vulnerability, and I am sure many of
  you, my readers would fall in the same boat.
• For the benefit of all my readers, I will first
  clarify the difference between vulnerability and
  pen testing.
• So, what is Vulnerability? The vulnerability is a
  terminology used to identify flaws in the system
  which can expose the system to security threats.

6
Vulnerability Scanning or Pen Testing?

• Vulnerability Scanning lets the user find out the
  known weaknesses in the application and defines
  methods to fix and improve the overall security
  of the application. It basically finds out if
  security patches are installed, whether the
  systems are properly configured to make attacks
  difficult.
• Pen Tests mainly simulates real-time systems and
  helps the user find out if the system can be
  accessed by unauthorized users, if yes then what
  damage can be caused and to which data etc.
• Hence, Vulnerability Scanning is a detective
  control method which suggests for ways to improve
  security program and ensure known weaknesses do
  not resurface whereas pen test is a preventive
  control method which gives an overall view of the
  systems existing security layer.
• Though, both the methods have its importance, but
  it will depend on what really is expected as part
  of the testing.
• As testers, it is imperative to be clear on the
  purpose of the testing before we jump into
  testing. If you are clear on the objective, you
  can very well define if you need to do a
  vulnerability scan or pen testing.

7
Importance and the need for Web App Pen Testing

• Pentest Helps in identifying unknown
  vulnerabilities.
• Helps in checking the effectiveness of the
  overall security policies.
• Help in testing the components exposed publicly
  like firewalls, routers, and DNS.
• Lets user find out the most vulnerable route
  through which an attack can be made
• Helps in finding the loopholes which can lead to
  theft of sensitive data.
• If you look at the current market demand, there
  has been a sharp increase in the mobile usage,
  which is becoming a major potential for attacks.
  Accessing websites through mobiles are prone to
  more frequent attacks and hence compromising of
  data.
• Penetration Testing thus becomes very important
  in ensuring we build a secure system which can be
  used by users without any worries of hacking or
  data loss.

8
Web Penetration Testing Methodology

• The methodology is nothing but a set of security
  industry guidelines on how the testing should be
  conducted. There are some well established and
  famous methodologies and standards which can be
  used for testing, but since each web application
  demands different types of test to be performed,
  testers can create their own methodologies by
  referring the standards available in the market.
• Some of the Security Testing Methodologies and
  standards are
• OWASP (Open Web Application Security Project)
• OSSTMM (Open Source Security Testing Methodology
  Manual)
• PTF (Penetration Testing Framework)
• ISSAF (Information Systems Security Assessment
  Framework)
• PCI DSS (Payment Card Industry Data Security
  Standard)

9
Listed below are some of the test scenarios which
can be tested as part of Web Application
Penetration Testing (WAPT)

• Cross Site Scripting
• SQL Injection
• Broken authentication and session management
• File Upload flaws
• Caching Servers Attacks
• Security Misconfigurations
• Cross Site Request Forgery
• Password Cracking

10

• You can always contact with SECURIUM FOX. You can
  contact us through our email addresses or by
  using the contact form on the side.

• INFO
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,
• Gurunanak Nagar,Patamata,Vijyawada,
• Andhra Pradesh -520010
• 9652038194
• 08666678997
• info_at_securiumfoxtechnologies.com

11
info_at_securiumfoxtechnologies.com Andhra Pradesh
Office 91 8666678997,91 91652038194 3rd
Floor,Lohia Towers, Nirmala Convent Rd,Gurunanak
Nagar,Patamata,Vijayawada, info_at_securiumfoxtechnol
ogies.com UK Office 44 2030263164 Velevate,
Kemp House, 152 - 160,City Road,EC1V
2NX London info_at_securiumfoxtechnologies.com Tamil
Nadu Office 91 9566884661 Kailash Nagar, Nagar,
Tiruchirappalli, Tamil Nadu 620019 info_at_securiumfo
xtechnologies.com
Noida Office 91 (120) 4291672, 91
9319918771 A-25, Block A, Second Floor,Sector -
3, Noida, India info_at_securiumfoxtechnologies.com
USA Office 1 (315)933-3016 33 West,17th
Street, New York, NY-10011, USA info_at_securiumfoxte
chnologies.com Dubai Office 971 545391952 Al
Ansari Exchange, Ansar Gallery - Karama Branch,
Hamsah-A Building - 3 A St - Dubai - United Arab
Emirates