Web Pen Testing Approach
1) Planning Phase (Before Testing)
Before testing starts,
it is advisable to plan what types of testing will be performed, how the
testing will be performed, determine if QA needs any additional access to tools
etc.
- Scope definition – This is same like our functional testing where we
define the scope of our testing before starting our test efforts.
- Availability of
Documentation to Testers – Ensure
Testers have all the required documents like documents detailing the web
architecture, integration points, web services integration etc. The tester
should be aware of the HTTP/HTTPS protocol basics and know about the Web
Application Architecture, traffic interception ways.
- Determining the Success
Criteria – Unlike our functional
test cases, where we can derive expected results from user
requirements/functional requirements, pen testing works on a different
model. The Success criteria or the test case passing criteria needs to be
defined and approved.
- Reviewing the test results
from the Previous Testing – If
prior testing was ever done, it is good to review the test results to
understand what vulnerabilities existed in the past and what remediation
was taken to resolve. This always gives a better picture to the testers.
- Understanding environment
– Testers should gain knowledge
about the environment before starting testing. This step should ensure to
give them an understanding on firewalls, or other security protocols which
would be required to be disabled to perform the testing. Browser to be
tested should be converted into an attack platform, usually done by
changing proxies.
2.Attacks/Execution Phase (During Testing):
Web Penetration
testing can be done from any location, given the fact that there shouldn’t be
restrictions on ports and services by the internet provider.
- Ensure to run a test with
different user roles – Testers
should ensure to run tests with users having different roles since the
system may behave differently with respect to users having different
privilege.
- Awareness on how to handle
Post-Exploitation – Testers
must follow the Success Criteria defined as part of Phase 1 to report any
exploitation, also they should follow the defined process of reporting
vulnerabilities found during testing. This step mainly involves the tester
to find out what needs to be done after they have found that the system
has been compromised.
- Generation of Test Reports
– Any Testing done without
proper reporting doesn’t help organization much, same is the case with
penetration testing of web applications. To ensure the test results are
properly shared with all stakeholders, testers should create proper
reports with details on vulnerabilities found, the methodology used for
testing, severity and the location of the problem found.
3.Post Execution Phase (After Testing):
Once the testing is
complete and test reports shared with all concerned teams, the following list
should be worked upon by all –
- Suggest remediation – Pen Testing shouldn’t just end by identifying
vulnerabilities. The concerned team including a QA member should review
the findings reported by Testers and then discuss the remediation.
- Retest Vulnerabilities – After the remediation is taken and implemented,
testers should retest to ensure that the fixed vulnerabilities did not
appear as part of their retesting.
- Cleanup – As part of the Pentest, testers make changes to the
proxy settings, so clean up should be done and all changes reverted back.
No comments:
Post a Comment