Web Application Penetration Testing Methodology

Review Cobalt pentest methodologies for web applications, including microservices.

Web application penetration testing is a process in which a tester uses simulated attacks to identify potential security vulnerabilities in a web application.

We follow an industry-standard methodology primarily based on the OWASP Application Security Verification Standard (ASVS) and Testing Guide. In support, we use a number of manual and automated tools, described in the following steps, to ensure full coverage.

Web application penetration testing methodology process

Penetration testing of a web application includes the following stages:

Cobalt pentesters do not need access to the source code of your application, unless you specify it as a requirement. We look at the application logic by working with your app.

Tests of a Web asset include tests of APIs used to populate content on that asset. If you have additional APIs, you may consider setting up:

  • A combined Web + API test
  • A separate test for APIs

Target Scope Reconnaissance

Based on the pentest brief prepared by the client, Cobalt pentesters search for information about the targets and investigate the scope. This information includes:

  • Web application URLs
  • Descriptions of application logic
  • Functions critical to the business

Pentesters then confirm that they can:

  • Reach and scan the targets
  • Test the functionality of the application

Business and Application Logic Mapping

Pentesters manually examine the target applications to map:

  • Business functions
  • Workflows
  • Underlying processes

They also build a matrix of the access controls within the application based on supported roles and actions. Our pentesters use this matrix to plan further security tests, which determines:

  • How well these controls are enforced
  • How an attacker can bypass these controls

Automated Web Crawling and Web Scanner Configuration Tweakings

Our pentesters use both commercial and freeware security tools to assess the targeted application. They’ll modify these tools as needed, to make sure that scanning can find security issues on every segment of your asset, and the application as a whole.

In addition, our pentesters run automated crawls to:

  • Identify any pages are available to unauthenticated users
  • Determine the full site tree

Authenticated Vulnerability Scanning / Manual Crawling

In this part of the pentest process, our pentesters:

  • Use automated tools for web application crawling
    • Verify the results manually
  • Run manual crawling tests for better coverage
    • Verify authentication on protected areas of the application

With automated scanning, our pentesters:

  • Assess the application using the authenticated sessions where applicable

Our pentesters use extreme caution to minimize impact on the targeted system.

Manual Web Vulnerability Tests / Exploit Reviews / Microservices

Cobalt pentesters use tool-assisted manual tests to identify and analyze the following parts of the app for vulnerabilities:

  • Functionality
  • Business logic
  • Deployment

The assessment identifies published vulnerabilities, including those listed in the

  • OWASP Top 10
  • CVE reports or tracked by CVE entries

Our pentesters also consider the workflows and business logic into consideration when they identify vulnerabilities in the application.

The assessment includes tests for vulnerabilities such as:

  • Injection attacks that probe the robustness of server-validation routines
  • Session management flaws that could allow user impersonation
  • Flaws in access control that expose data or enable users to gain elevated privileges

If the application includes microservices, our pentesters focus on interactions between different systems. They examine the implementation of:

  • Access control management
  • Cross-Origin Resource Sharing (CORS)

We thoroughly examine:

  • Access control management
    • Cross-Origin Resource Sharing (CORS) implementation
  • Vulnerabilities outlined in the OWASP API Security Project

For each finding, pentesters determine the risk associated with each issue by:

  • Demonstrating how the issue could be exploited
  • Evaluating its impact within the context of the business function, data, and users of the asset
  • Setting up a Proof-of-Concept exploitation to:
    • Demonstrate the presence of the vulnerability
    • Minimize potential adverse impact to the application, its data, and its underlying systems

Ongoing Assessments

Our pentesters report their findings, in real time, through the Cobalt platform. They also:

  • Assess all risks
  • Recommend steps for remediation

You’re welcome to communicate with our pentesters for each of their findings.

Reporting, Triaging, and Retesting

Cobalt pentesters report and triage all vulnerabilities during the assessment. You can review details of all findings, in real time, through the Cobalt platform. In these findings, as well as in any report, our pentesters include detailed information on how you can:

  • Remediate each finding
  • Improve your overall security posture

You can remediate findings during and after the pentest. Then you can submit findings for retest. Our pentesters test the updated components and retest issues to ensure that there are no security-related residual risks.

Was this page helpful?

Yes No Create an Issue

Last modified June.06.2023