A web application test involves an automated scan, which highlights common configuration vulnerabilities. However, automated testing does not give a complete overview of issues affecting web
applications, so the tester will also visit the site manually and perform various functions. Testers will generally use the Firefox browser in conjunction with the OWASP ZAP tool, which analyses HTTP requests sent between the browser and the application, reporting on any interesting finds.
Testers will test the app according to the OWASP Top Ten vulnerabilities, which includes SQL Injection, Cross-site Scripting, and Unrestricted Access to certain files or directories. If certain known
vulnerabilities in a commercial application are discovered, the tester will try to exploit the vulnerability, unless the vulnerability is known to cause Denial of Service issues. Once OWASP Top 10 are covered, testers will check for lesser known vulnerabilities which may still affect the application.
Generally, the tester will perform testing with different levels of credentials, preferably with access to two accounts at each level (e.g. unauthenticated, member access, admin access). As an unauthenticated user, the tester will try to authenticate without credentials, or gain access to functionality that should only be available to authenticated users. With an authenticated account, the tester will attempt to access or modify the details of other users.
1. Scope – Scope Of Work states what we will be doing, who exactly will be doing it, when, any exclusions, restrictions, etc.
2. Port Scan – We will scan the application IP address for possible TCP and UDP Ports. The scanning will be performed from our specialist secure data center.
3. Vulnerability Scanning – We will scan the application and active ports identified in the previous step with a number of automated tools, such as Nessus.
4. Unauthenticated Testing – We will perform unauthenticated testing of the web application, trying to find hidden directories or files.
5. Authenticated Testing – We will map out the functionality of the application, and attempt to gain access or modify data on other accounts.
6. Unauthenticated Re-testing – With the knowledge of the authenticated functionality, We will attempt to use the same functionality from an unauthenticated user again.
7. Documentation – We will then document all results and issues identified, providing a detailed executive summary, results table, statistics page, and detailed technical explanation for each page.
8. Quality Assurance – The report will be passed through our internal QA process multiple times, where a second senior tester will review the report and identify issues. The report will then be passed to the testing manager for a final review.
9. Report Release – The report will then be provided to the client using the chosen method, by default this will be on an encrypted CD sent via registered post.
10. Optional Retest – As an optional extra, We can conduct further testing to verify any fixes applied.
11. Post Testing Debriefing – We will then conduct a debriefing for the client.