A WAP is an attempt to break into application systems (such as APIs or back-end servers) to identify vulnerabilities, in particular unsecured inputs that are susceptible to code injection attacks.
What is WAP? (Web Application Pentesting)
Penetration testing is a simulated cyber attack on a computer system to test it for vulnerabilities. In the context of web application security, a pentest is typically used to harden a Web Application Firewall (WAF).
The information obtained from the penetration test can be used to fine-tune WAF security policies and fix discovered vulnerabilities.
Planning and exploration.
Determining the scope, goals and methods of testing. Collecting information (network and domain names, mail server) to better understand how the target works and its potential vulnerabilities.
At this stage, we determine how the target application will respond to various intrusion attempts. This is usually done with:
- Static analysis (SAST) is a test of application code to evaluate its behavior at runtime. These tools can scan all code in one pass.
- Dynamic analysis (DAST) - checking the code in working condition. This is a more practical way to scan because it allows you to monitor the performance of your application in real time.
This phase uses web application attacks to expose vulnerabilities - cross-site scripting (XSS), SQL injection, and backdoors. The pentester then attempts to exploit the vulnerabilities found, typically through privilege escalation, data theft, traffic interception, etc., to see how much damage it can cause to the target.
The purpose of this step is to find out if a vulnerability can be exploited to provide a persistent presence on a production system long enough for an attacker to gain full access. The idea is to mimic APT threats, which often stay on the system for months, to steal an organization's most sensitive data.
The results of the penetration test are then combined into a report detailing:
- Vulnerabilities that have been exploited;
- Confidential data accessed;
- The time during which the pentester could remain in the system unnoticed.
This information is analyzed by security personnel to help configure enterprise WAF settings and other application security solutions to fix vulnerabilities and protect against future attacks.
Penetration testing methods
External penetration tests target company assets that are available on the Internet, such as the web application itself, the company website, and mail and DNS servers. The goal is to access and extract valuable data.
During internal testing, a pentester who has access to an application behind a firewall simulates an attack by an attacker. A typical start-up scenario would be an employee whose credentials were stolen in a phishing attack.
In blind testing, the tester is only told the name of the target company. This allows security personnel to see in real time how the actual attack on the application will proceed.
Double blind testing
Double blind testing means that security experts have no prior knowledge of the simulated attack. Just like in the real world, they won't have time to harden their defenses before attempting a break-in.
In this scenario, both the tester and the security staff work together and keep each other informed of their actions. This is a valuable learning exercise that gives the security team real-time feedback from a hacker's perspective.
Pentesting and WAF
Pentesting and WAF are exclusive but mutually beneficial security measures.
For many types of manual testing (with the exception of blind and double-blind tests), the tester will most likely use WAF logs to discover and exploit application vulnerabilities.
In turn, web application administrators will review the results of the penetration test and update the WAF configurations based on them to address the vulnerabilities found.
In addition, manual testing satisfies some of the requirements for compliance with security audit procedures - PCI DSS and SOC 2. And the requirements of the PCI-DSS 6.6 standard can only be met when using a certified WAF. But that doesn't make testing any less useful because of its benefits and ability to improve WAF configurations.