Web Pen Testing Approach

Web Pen Testing Approach

1) Planning Phase (Before Testing)

Before testing starts, it is advisable to plan what types of testing will be performed, how the testing will be performed, determine if QA needs any additional access to tools etc.

• Scope definition – This is same like our functional testing where we define the scope of our testing before starting our test efforts.
• Availability of Documentation to Testers – Ensure Testers have all the required documents like documents detailing the web architecture, integration points, web services integration etc. The tester should be aware of the HTTP/HTTPS protocol basics and know about the Web Application Architecture, traffic interception ways.
• Determining the Success Criteria – Unlike our functional test cases, where we can derive expected results from user requirements/functional requirements, pen testing works on a different model. The Success criteria or the test case passing criteria needs to be defined and approved.
• Reviewing the test results from the Previous Testing – If prior testing was ever done, it is good to review the test results to understand what vulnerabilities existed in the past and what remediation was taken to resolve. This always gives a better picture to the testers.
• Understanding environment – Testers should gain knowledge about the environment before starting testing. This step should ensure to give them an understanding on firewalls, or other security protocols which would be required to be disabled to perform the testing. Browser to be tested should be converted into an attack platform, usually done by changing proxies.

2.Attacks/Execution Phase (During Testing):

Web Penetration testing can be done from any location, given the fact that there shouldn’t be restrictions on ports and services by the internet provider.

• Ensure to run a test with different user roles – Testers should ensure to run tests with users having different roles since the system may behave differently with respect to users having different privilege.
• Awareness on how to handle Post-Exploitation – Testers must follow the Success Criteria defined as part of Phase 1 to report any exploitation, also they should follow the defined process of reporting vulnerabilities found during testing. This step mainly involves the tester to find out what needs to be done after they have found that the system has been compromised.
• Generation of Test Reports – Any Testing done without proper reporting doesn’t help organization much, same is the case with penetration testing of web applications. To ensure the test results are properly shared with all stakeholders, testers should create proper reports with details on vulnerabilities found, the methodology used for testing, severity and the location of the problem found.

3.Post Execution Phase (After Testing):

Once the testing is complete and test reports shared with all concerned teams, the following list should be worked upon by all –

• Suggest remediation – Pen Testing shouldn’t just end by identifying vulnerabilities. The concerned team including a QA member should review the findings reported by Testers and then discuss the remediation.
• Retest Vulnerabilities – After the remediation is taken and implemented, testers should retest to ensure that the fixed vulnerabilities did not appear as part of their retesting.
• Cleanup – As part of the Pentest, testers make changes to the proxy settings, so clean up should be done and all changes reverted back.