A penetration test, also referred to as a pen test, may be a simulated cyber attack against your computing system to see for exploitable vulnerabilities. In the context of web application security, penetration testing is usually wont to augment an internet application firewall. Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, like unsanitized inputs that are susceptible to code injection attacks. Insights provided by the penetration test are often wont to fine-tune your WAF security policies and patch detected vulnerabilities.
Penetration testing stages :
The pen testing process are often weakened into five stages.
1. Planning and reconnaissance
The first stage involves: • Defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used. • Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.
2. Scanning
The next step is to know how the target application will answer various intrusion attempts. This is typically done using: • Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan everything of the code during a single pass. • Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, because it provides a real-time view into an application’s performance.
3. Gaining Access
This stage uses web application attacks, like cross-site scripting , SQL injection and backdoors, to uncover a target’s vulnerabilities. Testers then attempt to exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to know the damage they will cause.
4. Maintaining access
The goal of this stage is to ascertain if the vulnerability are often wont to achieve a persistent presence within the exploited system— long enough for a nasty actor to gain in-depth access. The idea is to imitate advanced persistent threats, which frequently remain during a system for months so as to steal an organization’s most sensitive data.
5. Analysis
The results of the penetration test are then compiled into a report detailing: • Specific vulnerabilities that were exploited • Sensitive data that was accessed • The amount of time the pen tester was able to remain in the system undetected This information is analyzed by security personnel to assist configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
Penetration testing methods
External testing
External penetration tests target the assets of a corporation that are visible on the web , e.g., the online application itself, the corporate website, and email and name servers (DNS). The goal is to realize access and extract valuable data.
Internal testing
In an indoor test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing atttack.
Blind testing
In a blind test, a tester is merely given the name of the enterprise that’s being targeted. This gives security personnel a real-time check out how an actual application assault would happen .
Double-blind testing
In a test test, security personnel haven't any prior knowledge of the simulated attack. As within the world , they won’t have any time to prop up their defenses before an attempted breach.
Targeted testing
In this scenario, both the tester and security personnel work together and keep one another appraised of their movements. This is a valuable work out that gives a security team with real-time feedback from a hacker’s point of view.
Penetration testing and web application firewalls
Penetration testing and WAFs are exclusive, yet interdependent security measures. For many sorts of pen testing (with the exception of blind and test tests), the tester is probably going to use WAF data, like logs, to locate and exploit an application’s weak spots. In turn, WAF administrators can enjoy pen testing data. After a test is completed, WAF configurations are often updated to secure against the weak spots discovered within the test. Finally, pen testing satisfies a number of the compliance requirements for security auditing procedures, including PCI DSS and SOC2. Certain standards, like PCI-DSS 6.6, are often satisfied only through the utilization of a licensed WAF. Doing so, however, doesn’t make pen testing any less useful thanks to its aforementioned benefits and skill to enhance on WAF configurations.
0 Comments