How We Leverage OWASP to Perform Comprehensive Web Application Testing
As threats to web infrastructure continue evolving rapidly, it's vital for organizations to proactively assess security and close vulnerabilities before malicious actors find them. Here at ThunderSecurity, we rely on the Open Web Application Security Project (OWASP) Testing Guide v4.2 during penetration tests to conduct thorough discovery and validation.
Upon receiving written authorization and test parameters from clients, our security analysts begin with Information Gathering. Per OWASP guidance, we start externally via open-source intelligence on public-facing attack surface like IP scans, DNS records, social media profiles and code repositories. This often uncovers exposed test/development environments or auxiliary systems integrated into the main application.
We then Spider targeted sites using both automated and manual techniques. By following all links and submittable forms, our crawl discovers areas normally not seen by users like administrative consoles, unprotected files or forgotten development stubs. Input from these discovery phases populates our knowledge base for subsequent stages.
Client-side Testing examines interactions and configurations accessible locally through the browser like cookies, cache objects, plug-ins, parsing errors and browser cache weaknesses. JS fuzzing triggers exceptions revealing logic flaws. We verify defenses against DOM-based attacks abusing the trust relationship between a document and script.
During Server-side Testing, our analysts craft custom payloads to probe all endpoints and parameters for Injection attacks bypassing security controls. We verify defenses against SQLi, OS command injection, XXE, SSRF and other techniques abusing back-end application interfaces. Fuzzing identifies edge case crashes and reveals information exposed in responses.
Authentication focuses on credentials, sessions, token validation and logout handling to find ways of circumventing identity verification. We assess configuration weaknesses, lack identity federation, susceptibility to password guessing, replay attacks and so on. Browser automation even flags weak password reset flows vulnerable to account takeover.
Authorization Testing verifies access controls and privileges are accurately applied across allfunctions according to stated design. Auditors probe for path traversal, access to unauthorized APIs and information, role confusion and escalation through authorization bypass.
Configuration and Deployment analyses application parameters against industry best practices to identity misconfigurations like CORS policies, HTTP headers, SSL vulnerabilities, cryptography flaws or improper error handling exposing sensitive indicators.
Finally, in our reporting phase, we detail prioritized remediation guidance addressing each validated issue, along with code snippets demonstrating exploits, screenshots and customized risk assessments linking vulnerabilities to specific attacks impacting clients' priorities. Overall, by sticking closely to recognized and holistic frameworks like OWASP, our team ensures web assessments are conducted comprehensively and results presented proactively to maximize protection.
Here is how we approach Planning and Preparation at ThunderSecurity before conducting web application penetration tests:
Initial Scoping Meeting
Our first step involves holding a scoping call with clients to understand their objectives, risk tolerance, and technical environment. This ensures the assessment aligns perfectly with organizational needs and priorities.
Identification of Systems & Technologies
We work with clients to inventory all public-facing web properties, technologies used, integrations with other systems, user roles and functionality. This mapping provides essential context.
Testing Methodology Design
Leveraging our expertise across various industry-recognized frameworks like OWASP, we customize the appropriate testing methodology, tools, techniques and threat model based on the defined scope.
Rules of Engagement Agreement
All test parameters and limitations are formally documented in a rules of engagement which both parties sign off on. This establishes informed consent and ensures legal compliance.
Internal Team Planning
Internally, our dedicated project managers coordinate resources and schedule cloud-based and network access requirements with development resources for our security engineer team.
Tool Configuration
Our tools experts fine-tune all utilities and custom scripts according to the application profiling to augment coverage, streamline testing workflows and enable comprehensive documentation of results.
By taking the time upfront to thoroughly scope, plan and prepare customized testing logistics, ThunderSecurity is able to efficiently conduct the most impactful assessments without disruption to clients and with clear expectations set for all involved. This strategic approach is vital for maximizing value.