Web applications have become a necessity of business in a digital world, used for both externally facing applications to reach and assist customers through corporate websites, and internally for different business use cases, such as HR platforms. Protecting these assets is crucial to operating a modern and secure business. With the very real increase in data breaches impacting Australian organisations, business leaders are left worried and are asking the question, “Are we next?”. Expert security advice for your organisation can bring peace of mind that the good guys are finding vulnerabilities, before the bad ones. To prepare yourself for your next Web Application Penetration Test, detailed below is an overview on Alcorn Group’s testing methodology, as well as some of the most common risks found during testing.
Before testing begins, Alcorn Group’s consultants engage with stakeholders to gain a deeper understanding of the application and the business context in which its used. You can expect questions such as:
- What’s the intended business use of the application?
- Is there a particular scenario you are most concerned about? For example, someone accessing personally identifiable information. Or, defacement of the site?
- What kind of functionality does the application have?
These sorts of questions raised during the scoping phase allow consultants to focus their time on investigating vulnerabilities that relate to what matters to your business. Alcorn Group understands that companies often do not have the budget to spend on an exhaustive penetration test (although it is recommended for conclusive results). Our consultants will take the time to understand what is relevant to the business use case, and what you aim to achieve out of the testing.
After the scoping and kick-off phases, Alcorn Group gets to work investigating and analysing your application. Using a variety of tools and following our unique testing methodology, Alcorn Group’s consultants will test for the OWASP Top Ten Web Application Security Risks and ASVS (Application Security Verification Standard) vulnerabilities. Some of the more common risks we uncover are:
- Weak Access Controls: A key component of web applications is ensuring that the right people can access the correct information and controls, dependant on their role within the organisation. Alcorn Group often uncovers vulnerabilities that allow attackers to access confidential information or administrative functionality, as well as cases where regular users that can access higher privileged information or functions.
- Incorrect Session Management: Web applications make use of unique session ID tokens in order to differentiate between users performing actions within the application. A large amount of applications tested by Alcorn Group are discovered to have insufficient session management. These vulnerabilities often lead to information leakage, and in some cases, can be escalated to account takeovers.
- Denial of Service: There are a variety of vulnerabilities that allow for malicious attackers to affect the availability of your web application, stopping everyone, including clients and staff, from being able to use it.
- Data Injection: These are vulnerabilities which leverage data validation issues on the application server, and could be used to target other applications or users. Alcorn Group aims to ensure that all data submitted to the application is appropriately validated and there are no opportunities to inject data to achieve attacks such as SQL injection or cross site scripting.
Once Alcorn Group has finished the testing phase of the engagement, findings are collected, and our expert technical writing team develops a clear and concise report. This report is tailored to a variety of audiences, both technical and non-technical so that findings can be understood in a variety of contexts.
Testing your business’ web application is essential for gaining a deeper understanding of its security posture and empowering your organisation and its individuals to make decisions to improve your security posture. Alcorn Group’s process of assessing vulnerabilities and presenting recommendations leaves businesses with greater control and foresight in their security. To ensure that a web application remains secure in an ever-evolving threat landscape, penetration testing should be treated as an on-going process. This means that if you’ve not had a web application penetration test in over a year, it’s about time you have your applications looked at again.