Application Penetration Testing Methodology Overview
Vulnerabilities and compensating controls are categorized into the areas of configuration management, authentication and authorization, user and session management, data validation, error and exception handling, and data confidentiality. Using open source, proprietary, and commercial tools, Praetorian identifies both common and application specific vulnerabilities. While our penetration tests do leverage automated scans, the majority of testing is performed through manual techniques since many application vulnerabilities hinge on logical and semantic flaws which, unlike syntactic bugs, are difficult to identify using automated analysis.
Application testing begins with network and operating system security tests to verify that the underlying platforms are configured securely. After performing initial platform testing, the penetration test shifts its focus to the application layer, which requires significant attention and comprises the majority of the engagement. Praetorian will first assume the role of an anonymous attacker who does not have valid credentials to the application.
If credentials are provided and authenticated testing is in scope, consultants will authenticate to the application using the roles of normal users to determine if valid users can exploit vulnerabilities to gain access to the underlying infrastructure or to information the user is not authorized to access. For role-based systems, testing is conducted across all user roles. This will not only ensure coverage across the entire application, but will also allow in-depth testing of complicated authorization controls. For these reasons, Praetorian will typically request two user accounts per role. For example, Praetorian will test a user's ability to access another user's information within the same role as well as a user's ability to access another user's information at a higher role (vertical privilege escalation).
As vulnerabilities are discovered, Praetorian will exploit them in an attempt to achieve the primary objectives. Using commercial, open source, and proprietary tools, Praetorian implements a structured testing methodology to make the application assessment as efficient as possible.