What is the point of authenticated web application penetration testing 1 (1)

What is the point of authenticated web application penetration testing?

November 22nd, 2021 Posted in Evalian News, Information Security

Web application penetration tests are a common way for organisations to gain assurance and information about the security of their web applications. As background, a web application is a website with dynamic functionality accessed through a web browser. These apps can range from straightforward to highly complex. Many work with a wide range of data and functions. Common examples include HR platforms, user portals, webmail and social networking sites. 

In a web application penetration test, a tester will simulate the actions of a real-world threat actor. Utilising known exploit techniques and the same tools and techniques that a hacker might use, the tester will identify and validate vulnerabilities that could be exploited to access the web app, compromise its functionality and steal the data processed on the app. At the end of the test, you will receive a report detailing how a threat actor could leverage the vulnerabilities found in your application to compromise it. You can then use these findings to prioritise remediation of the discovered vulnerabilities, which will improve your web application’s security posture and cyber resilience.  

Why is web application penetration testing important?

Web application penetration tests are an invaluable part of the secure software development lifecycle. In many cases, a web application will interact with databases and services inside a company’s network. In this sense, a web application is almost like an open window into your business, as anyone with an internet connection could potentially access it if it is not adequately secured.  

OWASP, the go-to methodology for web application penetration testing, recently updated its top 10 list of the most critical security risks to web applications. As you can see from the list, be it a design flaw in the app or an implementation bug, there are several ways in which a threat actor could gain a foothold within your application access your data, such as an SQL injection or cross-site scripting attack. In fact, web applications are one of the most common threat vectors that malicious actors target. As the latest Verizon Data Breach Investigation Report found, web application attacks accounted for 43% of all breaches in 2020 – double that of 2019.  

What is the difference between an authenticated and unauthenticated web application pen test?

An authenticated test assumes the tester has a valid login to the application and is focused on what the attacker can do when they have a foot on the inside. The attacker could be an authorised user with malicious intent or an attacker using stolen credentials issued to a valid user.  

During an authenticated web application test, the tester will use a mixture of manual and automated techniques to explore which parts of the application they can access – with a focus on gaining access to those areas that should be restricted to them. This tactic is known as privilege escalation, where the tester attempts to achieve a higher level of access and control over the web application than their account should allow.   

Other common vulnerabilities that the penetration tester will look to exploit include weak user registration processes, the ability to bypass authentication schemas, session-based issues such as session theft and session fixation.  

By contrast, in an unauthenticated web app test, the tester mimics the actions of a threat actor who is looking at the web application from an outside perspective without login details. Common vulnerabilities the tester searches for here include the ability to authenticate without credentials or being able to access functionality that should only be visible when logged in, along with common types of injection vulnerabilities.  

Generally speaking, authenticated users will have deeper access to an application’s functionality. This means that authenticated tests deal with a larger attack surface. For this reason, authenticated tests tend to be more expensive, take longer and are more in-depth.  

Should I opt for authenticated or unauthenticated testing?

While unauthenticated web app pen testing helps find common vulnerabilities and vulnerabilities in the host, authenticated testing tends to be a higher-value activity. This is because many vulnerabilities within web applications are only discoverable with an account. Therefore, if an organisation chooses only to test from an unauthenticated perspective, they may miss out on crucial weaknesses that leave them vulnerable to an attack.   

Furthermore, the growing prevalence of insider threats – whereby either a malicious actor gains access to employee/customer credentials, or a disgruntled employee chooses to leak confidential data purposefully – reinforces the benefits of authenticated web application testing.  

Saying this, in cases where the application has only a small number of users, has a highly rigorous, vetted account registration process or where there is a high level of trust in the user base, authenticated web application penetration testing may not be necessary. 

Moreover, unauthenticated and authenticated web application penetration tests are not mutually exclusive. Many companies opt to carry out both activities on differing schedules for an in-depth analysis of the application’s ongoing security.  

For a detailed overview of penetration test types, read our guide to penetration testing 

How often should I conduct testing?

We recommend conducting web app pen tests before the application is launched, after any major update and at least annually.  

Do I still need a web application penetration test if I use SaaS applications?

A SaaS application is ultimately a web application. You may be providing your web application to customers as a SaaS tool, or you may be using a SaaS application supplied by another vendor. The security of cloud services is a shared security model: the vendor takes responsibility for application and infrastructure security. The customer is responsible for securely configuring the application to meet their own standards, managing identity and access control, and handling authorisation.  

Given this, the SaaS vendor is responsible for web application penetration testing to ensure their SaaS application and the hosting infrastructure is secure. As a customer, there are still assessments that a testing provider can run for you to ensure you have securely configured the SaaS application and to see if they can access your SaaS apps or restricted parts of it. These typically take the form of a secure configuration review during which the tester identifies opportunities to ‘harden’ the application in line with the vendor’s guidance or industry benchmarks (such as the CIS benchmarks).  

Whilst these cloud / SaaS security configuration reviews are not web application penetration tests in the classical sense, they are still critical security assurance exercises that can identify weaknesses and improve the security posture of your SaaS tools. Some SaaS apps are simple enough to secure, whereas others are more complex and subject to change. Examples of more complex SaaS tools include the Microsoft 365 suite, on which it can be easy to miss something. A secure configuration review makes strong sense in these cases.  

Need Help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat. 

http://www.freepik.com”>Designed by upklyak / Freepik – edited by Evalian
AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).