Web Application Assessments
What is a web application assessment?
A web application assessment seeks to discover any vulnerabilities in application functionality, along with assessing the effectiveness of any security controls used by the application. The testing engineer looks at the application through the eyes of an adversary, and using this perspective, identifies and documents weak points in the application. This documentation is then provided to the application developer so that any findings can be remediated.
What is the web application assessment process?
A web application test always starts with information discovery. The testing engineer uses automated tools to get a list of available web pages and endpoints, at the same time, the engineer manually navigates around the application to get a feel for available functionality, what kind of data is being sent and received, and if there are any areas of particular interest.
Once a sufficient amount of information about the application is obtained, the engineer starts actively searching for vulnerabilities. Automated scanning tools are used and their results vetted and manually confirmed to find any simple vulnerabilities quickly. Manual techniques are employed to locate more complex vulnerabilities that are difficult to locate with scanners. Manual vulnerability discovery is where the bulk of testing time is spent. Any discovered vulnerabilities are confirmed by performing simple exploits to demonstrate their existence.
The final part to an assessment is the reporting. The engineer assigns a severity rating to each vulnerability, describes the vulnerability and possible remediations, and includes evidence of the finding, along with instructions on how to reproduce the exploitation process the tester used to confirm the finding. Finally, this report is sent to the developer.
White-Box vs Black-Box Assessments
Ideally a test is performed in a “white-box” style where the testing engineer has access to source code and can consult with the application developers. The testing process for a “white-box” test looks very similar to that of a “black-box” test, however the results are overall more accurate, remediation advice can be more targeted, and in general a better picture of the application’s security posture can be obtained.