Penetration testing for web apps

​​​​​​​Penetration testing for web apps​

During web application security testing, our tasks mainly focus on manual activities supported by the results from automated tools.

 
 

Our story​

One of our important clients asked us to carry out penetration tests on a web application that was already being used in a production environment and therefore accessible from the Internet. Moreover, the application had not been developed by the client but by an external supplier. Great emphasis was placed on carrying out the tests in the shortest possible time as well as not jeopardizing the availability or integrity of the data - due to the external supplier, there was an increased risk in a possible delay when recovering the application / data.
During the penetration tests, we discovered a number of very serious vulnerabilities. An authenticated ordinary user could get round the authorization scheme and escalate their privileges within the application to the administrator level; in other words, an ordinary user was able to completely take control of the entire application and freely administer it, make modifications, or attack other app users. The described vulnerability was not the most serious one to occur in the application. The functionality for uploading images allowed, in a quite simple way, us to bypass the set restrictions and upload virtually any file, e.g. a php file (the scripting language in which the application is implemented) and use it to run system commands on the given application server. What’s more, this uploaded file was also freely available to an unauthenticated user (i.e. completely public). Using the manner described, we were able to fully compromise the application server.
Another very critical vulnerability was found in an unauthenticated part of the application, again freely available from the Internet. The search field did not investigate user inputs adequately, which made it possible to call queries directly in the database, i.e. to gain unauthorized access to all data, but also to completely compromise the database server.
The vulnerabilities described posed a huge threat to the company's reputation, including the possible financial impact during further misuse of client data. In addition, due to the fact that the application is publicly available, these attacks could have been carried out (most of them) by virtually any visitor to the web application.


The solution's description​

When testing applications, our goal is to reveal vulnerabilities that may affect their confidentiality, integrity or availability. In the framework of application security, we deal with not just the common attacks that exploit typical vulnerabilities and defending against them, but also on the latest trends in secure development - from design and architecture to actual use and management. ​

Penetration tests and vulnerability scans​

One of the things the tests we conduct are aimed at is identifying security weaknesses that may occur within the configuration, during data processing processes, or through incorrect implementation. The tests also include checking the security of all functionalities, authentication and authorization mechanisms, business logic, how sensitive information is handled and other areas.​

Penetration testing mainly involves the following steps:​

  • collecting available information, 
  • checking secure communication settings (e.g. using HTTPS, SSL), 
  • verifying the security of critical data flows, 
  • leaks of sensitive information, 
  • the possibility of misusing the app in an unauthorized manner and an attempt to take control of a legitimate user's account, 
  • checking the inputs entered by the user, 
  • the security of the technologies on which the systems are built (operating systems, web, application and database servers) and securely integrating them into the rest of the infrastructure, 
  • the possibility of an attacker abusing the available technology in the application and feasible attacks on the accounts/sessions of legitimate clients, 
  • non-destructive exploitation of generally known/found vulnerabilities, and more.

D​etailed description

When carrying out penetration tests, we rely primarily on the current OWASP Testing Guide methodology, using the techniques listed below.​

Information Gathering 

  • a phase aimed at collating as much information as possible, 
  • using freely available tools (search engines, scanners, simple HTTP requests or specially adapted requests), 
  • leaking information, for example in the form of error messages or notifications about specific versions and the technologies used.

Configuration and Deploy Management Testing 

  • topology infrastructure and architecture analysis, 
  • a survey of the technical information such as source code, the HTTP methods enabled, administrative functionality, authentication methods and infrastructure configuration information.

Identity Management Testing 

  • verifying the mechanism for managing users and their roles, 
  • testing the parameters, identifying security flaws, vulnerabilities leading to direct compromise of user accounts.

Authentication Testing 

  • analysis of the authentication process’ functionality and attempts to get round it.

Authorization Testing 

  • finding ways to bypass authorization rules and user rights settings, 
  • ​looking for ways to escalate allocated privileges.

Session Management Testing 

  • analysis of the possibility of stealing an authenticated user session, 
  • finding a possibility and carrying out a Man-in-the-Middle and similar attacks. ​

Data Validation Testing 

  • one of the most important parts of penetration testing - it tests the application’s resistance to attacks such as SQL/Code Injection, Cross-Site Scripting, Local File Inclusion and others.

​Error Handling Testing 

  • tests for leakage of sensitive information from often very detailed error messages, 
  • generation of non-standard inputs, both in size and content. ​

Cryptography Testing 

  • ​checking whether the application accepts outdated, defunct or completely inappropriate (no) cryptographic mechanisms for the given purpose.

Business Logic Testing 

  • ​probing all workflow functionalities and seeking a possibility to misuse them to carry out activities that are not in accordance with the given application's usage options.

Client Side Testing 

  • verifying how effective the application's mechanisms are at protecting users from specialised attacks that directly target the user and their browser,
  • testing various kinds of client scripting language injections and manipulating the parameters managed by the browser.

Why​ AEC?

  • We are an established Czech security company that has been successfully operating on the market for over 30 years. 
  • We have more than 20 years of experience in the field of web application and platform security. 
  • We have the largest team of ethical hackers in the Czech Republic, one that is made up of more than 15 of our own employees. 
  • We hold CEH, eMAPT, CISSP, OSCP, OSCE and many other certifications. 
  • Our team is composed of specialists with experience from hundreds of web projects. 
  • We run our own hacking lab where we share our knowledge with the community, that being both in the design, architecture and the actual use and management of web applications. 
  • We listen to our clients and adapt our tests to their needs and the time they have available. 
  • We follow modern trends in web security and technology. 
  • We emphasize a manual approach whilst testing, which leads to more errors being detected, especially in business logic applications.

References

  • I​NG Bank N.V. 
  • MONETA Money Bank, a.s.
  • Komerční banka, a.s. 
  • ŠKODA AUTO a.s. 
  • Česká národní banka 
  • SAZKA, a.s. 
  • T-Mobile Czech Republic a.s. 
  • Raiffeisenbank a.s. 
  • Home Credit a.s. 
  • KBC Group N.V. 
  • AXA Česká republika s.r.o.​

Contact Us


Check: 

​​