Web sites are windows that open your organization to the outside world. Because of their nature, they have to be always “open”. You can restrict the access of a service with a password or an IP address, or you can completely close the service access from outside your organisation. But in general, you don’t do these retrictions to a web application while you already want the application to be accessed by everyone.
While the application is able to be accessed by everyone, potential threat for you is the whole world. As a result, web application security is one of the most important subjects of cyber security.
With this article, we start to a series of blog posts about the checklists for web application pentests. Please remember that these are the basic controls, but not all. Technology and the attacking methodologies change day by day, so do checklists.
We strongly recommend you to create a checklist from our posts before the penetration test (pentest) starts. Note findings next to related bullet and put the screenshots of your findings. It will be very helpful when you prepare the pentest report.
The checklists subjected in this series are as follows:
- Learning application
- Information gathering & configuration management
- Session management
- Data validation
- Denial of service
Let’s start with learning the application:
- Find the IP address of the application.
- Detect the application server where application runs.
- Collect the roles and users of the application as much as possible (If it’s not a black box pentest, ask to the owner of the application).
- Detect the hosting operation system(s).
- Detect the programming language.
- Find out the detailed site map (crawling – spidering).
- Detect the input fields.
- Detect the infrastructures used in application (If it’s not a black box pentest, ask to the owner of the application).
- Find out if the web services exist.
The next “checklists for web applications” post will be about the information gathering and configuration management. Continue to follow us.