A Review on Web Application Vulnerability Assessment and Penetration Testing

2.1 Vulnerability management lifecycle

The vulnerability management lifecycle consists of 6 main steps [1]: 1) discovery, 2) prioritization of assets, 3) assessment, 4) reporting, 5) remediation and 6) verification. The discovery step involves keeping a track of all the vulnerabilities existing in the application or the network on a regular basis. The second step is the prioritization of assets basically involves the categorization and assignment of values to the assets according to their priority. The third step is to create a risk profile based on importance or priority of the reported vulnerabilities. The fourth step is to measure and report the level of business threat with respect to the existing vulnerabilities in the organizational network. The next step is to perform the remediation to fix the vulnerabilities and protect the system from exploitation by the attackers. The final step is the verification to check whether the existing system vulnerabilities have been patched or not.

2.2 Penetration testing

Penetration testing is a type of testing method used by ethical hackers to perform the testing of full integrated and operational system infrastructure or network. Penetration testing is defined as a procedure to find vulnerabilities present in the target system or network infrastructure in order to take certain steps to secure the network from attackers. It helps in checking whether an attacker would be able to penetrate into an organization’s network or not. This testing technique is done by an ethical hacker simulated as an unauthorized user who attacks the system or executes the penetration into the system [41, 42].

2.3 VAPT considerations

While performing the VAPT, the CIA (Confidentiality, Integrity and Availability) principles must be considered. Confidentiality refers to the principle of ensuring that only the authorized people are able to access the restricted information. No other unauthorized person should be able to access or read or edit the data in the application. The application should have proper authentication and authorization mechanism to allow only the authorized personnel’s to access the data, each authorized role should be allowed with only a specific set of functionalities in the application according to their level of authorization that is, a normal user should not be able to perform the functionalities of what an admin can do. The unauthorized users should not be able to access any data present in the application. The confidentiality factor fails if the attacker is able to perform horizontal or vertical privilege escalation. Horizontal privilege escalation is a type of attack in which the users of the same level of authorization are able to access the data of another user. Vertical privilege escalation is a type of attack in which the normal users are able to access data of users of different levels of authorization, that is, any user of lower level is able to access the privilege rights or functionalities of an admin in the application [43, 44].

Integrity means ensuring the sanctity of the data when in transit. No one should be able to perform the modification of the data while it is in transit from the client to the server side of the application. To ensure the integrity of the data, data in transit should use HTTPS or the data should be in encrypted form when in transit so that no intruder in the communication can easily read the data. By encrypting the data, sender can prevent man-in-the-middle attacks like spoofing, hijacking and eavesdropping in the communication channel of a network. The last principle is to always ensure the availability of the system or the application. It should be available to its users in the network anytime they access it. Availability can be affected if there is lack of request limiters in the application. Due to lack of request limiters, an attacker can cause a DOS (denial of service) attack and halt the system or application from sending the response back to any of the requests received due to the application server receiving the request more than it can handle it [45].

To conduct a VAPT, the three areas to check the vulnerabilities are the physical structure, logical structure and the architecture of the target network. Network testing is performed by the tester to find the vulnerabilities existing in the physical design of target system.

2.4 Vulnerability assessment vs. Pentesting

The differences between Vulnerability assessment and Pentesting are as follows [35, 36]:

1. Vulnerability assessment is the process of identification and the measurement of the severity level of vulnerabilities in a system. Penetration Testing is generally a goal-oriented exercise.
2. Vulnerability Assessment holds the lists of various security vulnerabilities, often prioritized by their severity level along with the organizational criticality. Penetration Testing is primarily focused on the simulation of a real-time cyber-attack, capability testing the defense mechanisms and figuring out the ways in which a real attacker can conduct an attack on the network or application or the system instead of the identification of the vulnerabilities.
3. VA typically covers the vulnerabilities horizontally, meaning that it provides a breadth wise approach for the security position of the application whereas penetration testing has a vertical approach, it covers the security vulnerabilities in depth. In other words, vulnerability assessment shows how big a vulnerability is and penetration Testing shows how critical it is.
4. VA can be conducted with the help of automated tools however penetration testing is generally done manually

2.5 Vulnerability assessment methodologies

There are two VA assessment methodologies: 1) automated, and 2) manual. By using automated approach, testers can identify the vulnerabilities present in the application with the help of automated tools and eliminate the false positives. Automated tools are software that interacts with the target sans human intervention. The primary benefit of automated scanners is that they reduce the labor-intensive work required to accomplish the task. Automated scanners like Acunetix will give us an overview of the possible existence of vulnerabilities in the environment. These vulnerabilities are aligned with the following industry-wide accepted standards such as OWASP, SANS, ASVS, WASC.

By using manual approach, the tester will detect every exploitable vulnerability present in the web application. The tester looks out for logical flaws which might compromise the authentication/authorization process, injection attacks, data security, input validations, session management issues, etc. The tester identifies every open port and the service running on the API servers. After that, the tester tests them for security vulnerabilities depending on their level of exploitability and availability in the environment they exist in. Final step involves the verification and validation of these vulnerabilities based on the standard benchmark. The following checks to be performed during manual testing security controls according to industry security standards like OWASP, SANS, MASVS, WASC, etc. are used for testing purposes. They are

• Every API in the application is checked against as many controls as possible by manually fuzzing with various payloads.
• During a security assessment, every open port/service configured on the in-scope asset server is rigorously tested against the respective security control.
• The tester recommended considering the references specifically from online documents/security blogs, and MITRE Common Vulnerabilities and Exposures (CVE) entries [46, 47].

2.6 Web application testing strategies

There are two web application testing strategies: 1) black box testing, and 2) grey box testing. Black box testing is a formal technique of application testing in which the examination of the application functionality without any knowledge of its internal or backend working mechanism is performed. It does not have any requirement of the past knowledge of web application or intervention of the vendor of application. Black Box penetration testing will be performed on the application along with its APIs that are interacting with the application using those APIs.

Grey box testing is a type of software/application testing that is performed by a tester having partial prior knowledge about the internal/backend mechanism of an application which is given by the owners or developers in form of walk-through of applications, application data flow, API documentation, tech stack etc. and can most often include the design and architecture documentation and internal access to the assets. The tester also gets test user credentials to assess the application/software post login functionalities. The main intention behind a Grey box assessment is to provide a more efficient & focused security assessment. This activity helps to simulate an attacker which might act as a threat to the application’s sensitive data, assets and eventually to the organization’s reputation.

There are two types of VAPT models [31]: 1) flaw hypothesis model and 2) attack tree model. In the first type, there is a system analysis and penetration prediction technique which consists of compilation of a list of flaws consisting of a hypothesis and performs analysis of the code specification and system documentation. In an attack tree model, the different attack methods or exploits which are possible against a target web application are represented in the form of a tree structure.

2.7 Skill set required for VAPT

Following are some common skills required for Web application assessment:

• Basic understanding of Computer Networking (TCP/IP model, OSI layers, protocols, top ports etc.)
• Basic understanding of Linux commands with hands-on practical knowledge.
• Basic understanding of programming languages like HTML, JavaScript, PHP, MySql etc.
• Good understanding of OWASP Top 10 Web Application Vulnerabilities, CVSS, CVE.
• Basic understanding of Pentesting supporting operating systems [48-51] such as kali-Linux tools, open-source and commercial tools for web application assessment.

2.8 VAPT summary

VAPT should be performed on a regular basis especially in the technology-based firms and organizations as they are more prone to the cyber based attacks. The advantages that can be achieved by performing regular Web application VAPT are

• Understanding the web application infrastructure, functionalities and classifying the assets, resources and the functionalities of the web application in accordance with their significance.
• Timely detection of the vulnerabilities in the web applications of the organizations before any attacker performs an exploitation of the application.
• Assigning value to the resources according to their significance and identify the most common web security vulnerabilities and their potential threats to each web resource using automated and manual testing techniques.
• Mitigating and performing the elimination of the critical vulnerabilities at high priority compared to the others. These vulnerabilities exist in the most important assets, resources and functionalities of the web resources.

As shown in the Figure 1, the VAPT process of the web applications will be carried in two modes: 1) Passive mode, and 2) Active mode. During passive testing, the security analyst attempts to understand the logic of the web application and executes the exploration of the test application like a normal user. Various tools that can be used for the purpose of information gathering for example, an HTTP client-side proxy tool like Burp Suite Pro can be used for the purpose of observing all the incoming and outgoing HTTP requests as well as HTTP responses on the application. After this phase the analyst should know all the access points of the web application (e.g., HTTP headers, parameters, cache and cookies). The passive mode of testing will be held in the sequence of steps 1) information gathering, 2) Fingerprinting web server, 3) Web content scanning, 4) web page content review, and 5) SSL verification. Section 4.1 describes these steps, on the other hand, in the active mode of testing, the security analyst performs active tests on the web application which are categorized as follows: 1) server level testing, 2) client level tests, 3) authorization and identity management testing, 4) authentication testing, 5) input validation testing, 6) web content testing, and 7) business logic testing. Section 4.2 presents the methods of active mode in detail.

1.png

Figure 1. Modes of VAPT process

4.1 Passive mode testing

Passing mode testing consists of the following steps:

1. Information gathering: During this step application enumeration is performed. This is the most basic steps in which enumeration is performed such as network configuration, server configurations, open ports, network topology, network devices used, and others.
2. Webserver fingerprinting: It is the process of identification of the web server information like type, version, and name of the target system, application or network. It is necessary to discover the accurate web server type of the target application. It can help security analysts for the determination of whether the web applications are prone to any type of cyber-attacks. Web servers running obsolete software versions without any timely regular patching would be vulnerable to various publicly-known exploits related to the older versions. Different methods used for the process of web server fingerprinting consists of banner grabbing, HTTP responses received in response to the requests that are malformed, and with the help of automated testing tools to execute the extensive and diverse scans that make use of different types of techniques.
3. Web content scanning: Application servers can be properly configured to perform the enumeration of the file and directory content automatically, especially the ones that do not consist of any index page. This can help an attacker to perform quick identification of the resources of a test application. The next step is to perform the analysis and attack the application resources. Moreover, it enhances the visibility of the sensitive data/files within the directory that should not be accessible to users, such as temp files as well as stack traces. Web Content Scanning can be performed using many open source tools like Dirb, Nikto, Dirbuster, Gobuster, WPScan (for Wordpress applications), Joomscan (for Joomla based applications) and others.
4. Web page content review: It is a very popular and common practice for programmers and developers to include detailed comments or metadata into their source program code. This practice can be a risk when the source code is exposed publicly, and these comments and program metadata inserted in the application’s program code may expose the sensitive information existing internally. This sensitive information must not be exposed or accessible to the potential attackers. In order to check any leaked data or information, review of comments and metadata should be performed.
5. SSL review: If the web application is making use of HTTPS (HTTP over TLS/SSL) for inter node communication, then the tester should verify the SSL certificate, TLS/SSL version, TLS/SSL encryption enabled services, supported ciphers (weak, medium or strong) and some cryptographic flaws. This information related to SSL.TLS details can be gathered by using testssl tool or sslscan in Kali Linux [44].

4.2 Active mode testing

Figure 2 depicts the elaborated checks for each test under the active mode of VAPT. Each test of the active mode VAPT is explained in the subsections of this section [45-61].

2.png

Figure 2. Categories of active mode VAPT process

4.2.1 Server level testing

It is important to perform the proper security configuration of the single nodes and elements that contribute to make up web application architecture in order to prevent any risks or mistakes that might compromise the security of the whole application architecture. The web server or application server configuration plays an essential role in the protection of the site contents, and it must be reviewed carefully in order to detect the common configuration mistakes. Checks to be conducted for server level testing are as follows

1. Network infrastructure and configuration: After the process of information fingerprinting of the web application, the tester must look out for known vulnerabilities or use of any components having publicly known vulnerabilities and the exploits for the different versions of software/platform/server being in use by the web application. After the identification of the presence of any mail servers on the web application, the tester should check the SPF and DMARC policies misconfiguration if it exists with the help of dig command or spoof check tool.
2. HTTP Headers: By intercepting the application requests in a client-side proxy tool like Burp Suite Pro, the tester will analyse the HTTP request and response headers and modify the request headers in order to see whether there is any change in the behaviour of the HTTP response headers as well as the body.
3. HTTP Strict transport security: The HTTP header is a security procedure that websites should have. If this is implemented in web sites, they must perform all communication means through a secure channel, that is, to the web browsers and then all the network traffic is exchanged with a given domain. The secure communication channel means that all the data will be transferred over the HTTPS connection; this will enable the protection of the unencrypted requests from any intruders. It is necessary for the tester to perform the verification regarding the web site whether it is using the HTTP strict security header or not, so that all the data that is travelling from browser to the server is in encrypted form.
4. Slow HTTP attacks: Slow HTTP attacks are a type of web application attack resulting in a DOS attack in which tester will send multiple requests to the application server within the specific time limit. If there is an incomplete HTTP request, or if there is low transfer rate then the server will keep its resources occupied waiting for the response from the past requests instead of responding back to the requests. When the concurrent connection limit of the web server reaches its maximum threshold, this results in a denial-of-service situation from application server. The tester can verify for Slow HTTP DoS with the help of an Application Layer DoS attack simulation tool called slowhttpattack or slowloris.
5. RIA cross domain policy: Rich Internet Applications (RIA) had performed the adoption of Adobe's policy files like crossdomain.xml to grant the controlled cross-domain access to the data and repair consumption with the help of technologies like Silverlight, Flashlight, Oracle Java, and Adobe Flash. Hence, a site can give access to its services from a different domain remotely. In most cases, Adobe’s policy files are configured poorly for the access restrictions. For testing the RIA policy file vulnerability, the analyst should be able to perform the retrieval of the policy files. The various types of permitted permissions would be verified under the smallest level of privileges after retrieving all the RIA policy files. Necessary requests should only be received from the permissible domains and ports and requests from the overly permissive or restricted policies should be ignored.
6. Subdomain takeover: It is a type of web application vulnerability that appears when a corporation has configured a DNS CNAME entry for one in all its subdomains referring to an external service (e.g. Amazon cloud, Heroku, Github, Bitbucket, Desk, Squarespace and Shopify) but the service isn't any longer utilized by that organization. An attacker can purchase and register to the external service provider and consequently claim for the affected subdomain. For testing the Subdomain Takeover vulnerability, the primary step is to perform enumeration of DNS servers of the target and other resources. The tester checks if the subdomain is running/active or not after it is found that it exists. If that subdomain can be purchased, then it is considered vulnerable.
7. Cloud storage: Cloud storage services provide the facilitation to the web applications and services for storage and access to the objects of system existing in cloud storage services like Google cloud, AWS. Improper configuration in the access control, although may conclude in exposure of sensitive information being modified as well as data access by an unauthorized party. A common vulnerability example is a misconfigured Amazon S3 bucket; however, other services providing the cloud storage may also exposure to various types of cyber threats.

4.2.2 Client level testing

Client-Side testing is a type of testing concerned with the code execution on the client side that typically exists within the web browser or browser plug-in. The execution of code on the client-side of the web application is different from the one executing on the server side of the web application and it returns the subsequent content. Client-side security needs penetration testing to be performed because client-side attacks can quickly risk and compromise the critical data assets and information. It is essential to test the susceptibility and application network’s capability to identify and respond back to the client-side attacks before the damage is irreversible. Client level testing involves checking for following:

1. HTML Injection: HTML injection is injection vulnerability in the web application that takes place when a user can control an input parameter and is able to perform the injection of any malicious HTML program into a web page having this vulnerability. This web application flaws/weakness takes place due to an improper input validation and sanitization and improper encoding of the output. The attacker performs an HTML injection attack to send an arbitrary HTML page with malicious intentions to the victim.
2. Client side URI redirection: Client-side URL redirection is additionally referred to as open redirection. This type of weakness or vulnerability exists in an application when it allows all types of untrusted input consisting of an external URL and doesn't perform any proper sanitization. The inserted URL could result in redirection of the user to a different page from the application, like a malicious web page created and then controlled by an attacker.
3. Cross origin resource sharing: CORS could also be a mechanism that enables an internet browser to perform cross-domain requests of the XMLHttpRequest L2 API in a very controlled manner. The XMLHttpRequest L1 API solely allows requests to be sent inside the identical origin as a result of it being restricted by the identical origin policy. Cross-origin requests have an associated origin header that identifies the domain initiating the request and is usually sent to the server. CORS defines the protocol to use between a web browser and a server to figure out whether or not a cross-origin request is allowed. Access-Control-Allow-Origin could also be a response header utilized by a server to purpose that domain square measure allowed to browse the response. The analyst ought to rummage around for insecure configurations as for example using a wildcard (* symbol) as worth of the Access-Control-Allow-Origin header which implies all domains square measure allowed. Another insecure example is once the server returns the origin header with none further checks, which could cause access of sensitive information. Access-Control-Allow-Credential may well be a vicinity of a pre-flight request indicating that the last word request will embody user credentials.
4. Click jacking: It comes under the UI redressing method, it is a malicious and complex attacking method whereby an internet user is mislead to click on a particular link which redirects to a webpage which looks similar what the user is expecting with but this is eventually an attacker page having the actual website as a part of its frame. The tester tests this vulnerability by investigating whether it is possible to load the target website in an inline frame of a sample test html page.
5.  Webs sockets: Web sockets works by enabling full-duplex communication channel between the web client or web server allowing the client and server to ensure asynchronous communication. It is the server’s function to perform verification of the Origin header in the Web socket handshake of HTTP communication. Under this

• The tester should first perform the identification of whether the application is using Web Sockets by inspecting the code on the client-side for ws:// or wss:// URI scheme.
• In the Burp suite pro, with the help of a Web socket client, try to connect to the remote Web Socket server. If we observe the establishment of a successful connection then it means that the web server would not be able to perform the validation of the origin header.
• Verify that Web Socket connection is making use of secure socket layer (SSL) to transmit sensitive information with wss://

6. Browser storage: Web browsers allow the functionality for storage functionality in the client-side for developers to perform the storage and the retrieval of data such as local storage, session storage, IndexedDB, cookies, etc. Testing should be conducted to work out whether the web site is performing the storage of the data that is considered too sensitive to be stored at the client side. The assessment of storage object code handling should be done in order to determine any injection attacks in future.
7. Web messaging: Web Messaging (also noted as Cross Document Messaging) allows the web applications that are running on multiple domains to intercommunicate with each other in a secure manner. Before this was introduced, the intercommunication of different origins (between iframes, tabs and windows) was enforced restrictions under the same origin policy and eventually was checked by the web browser. After this, Cross Document Messaging was originated and was implemented altogether with multiple browsers. It ensures the secure communications between origins across iframes, windows and tabs are ensured with the assistance of Cross Document Messaging. The messaging API introduced the postMessage() method, with which plain-text messages are going to be sent cross-origin. It contains two input parameters: 1) message, and 2) domain. The checks to be made in this are

• The tester should verify whether the application code is performing the sanitization and processing of the messages from only the acceptable and trusted domains. Within the sending domain, also ensure that the receiving domain is explicitly stated, which isn't used because of the second argument of postMessage().
• JavaScript code is recommended to be interpreted by tester to perform the determination of the implementation of web messaging and specifically, testers should have an interest about how the target website is forming a restriction on the messages that are coming from unknown domains, and thus the method in which the information is processed when they are received from trusted domains.

8. Cross site script inclusion: Cross-Site Script Inclusion (also popularly called XSSI) is a type of vulnerability that results in the leakage of sensitive information across origin or cross-domain boundaries. XSSI could be a client-side attack almost like Cross-Site Request Forgery (CSRF) but includes a different purpose. CSRF uses the authenticated user to perform the execution of state-changing functions inside a victim’s page (e.g. transfer money to the attacker's account, modify privileges, reset the password, etc.), XSSI instead uses JavaScript on the client-side to leak sensitive data from authenticated sessions. to check for XSSI:

• Identify of the endpoints accountable for sending sensitive data, what parameters are required, and identification of all relevant dynamically and statically generated JavaScript responses using authenticated user sessions.
• Determine whether the sensitive data are often leaked using JavaScript via Global Variables, Global function parameters, JavaScript Runtime errors, or Prototype chaining using this.

4.2.3 Authorization testing

Authorization is the concept or process of allowing access to the restricted resources to only those users that are permitted to use them. For testing authorization settings or configuration in the web application, tester first needs to understand how the authorization process works, and then use that information to plan for the attack on the application using the weak configuration of the authorization mechanism. Authorization is a concept that comes after a successful authentication process, so the analyst will perform the verification of this point after he has the valid user credentials, related to a well-defined set of roles and privilege rights. During the testing of this security control, it should be checked if it is possible to perform the authorization schema bypass, find vulnerability in the path traversal, or tester can also find different ways to conduct the escalation of the privilege rights assigned to the analyst. The tests for checking the Authorization and Identity management are given below.

1. Account enumeration: Often web applications reveal when a username exists on a system, either as a consequence of misconfiguration or as a design decision. For a case, sometimes, after we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password as wrong. The data obtained is employed by an attacker to realize an inventory of users on the system. This information is often used to attack the web application, for instance, through a brute force or default credentials attack. The tester should interact with the authentication mechanism of the application to grasp if sending a particular request causes the application to answer in several manners. This issue exists because the data released from an online application or web server when the user provides a legitimate username is different than after they use an invalid one.  

2. Privilege escalation: It takes place when a user can access many other restricted resources or restricted functionalities than they're normally allowed to access, and such elevation or changes should be prevented by the web application. In every portion of the applying where a user can create data/information within the database (e.g., making a payment, adding or removing a contact, or sending a message), can receive information (account statement, order details, etc.), or delete information (delete or drop users, delete messages), it is necessary to record the functionality. The tester should attempt to access such functions as another user so as to verify if it's possible to access a function that ought to not be permitted by the user's role/privilege (but can be permitted as another user). If the tester is able to access such functionalities with a user with the identical user role then it becomes horizontal privilege escalation. If the functions accessed by the analyst as a traditional user belong to a better user role, then it becomes vertical privilege escalation.

3. Insecure direct object reference: Insecure direct object references vulnerability takes place when an application provides direct access to things supported user-supplied input. If this vulnerability exists in the web application, then attackers can bypass authorization and access resources within the system directly, for e.g. database records or files. To test for this type of vulnerability the tester must first plan all locations within the application where user input is employed to reference objects directly. For instance, locations where user input is employed to access a database row, a file, application pages and more. Next, the analyst should modify or change the parameter value tied to reference objects and assess whether it is possible to retrieve objects belonging to other users or otherwise bypass authorization. As shown in Figure 3, consider the sample request at a link http://foo.bar/somepage?invoice=12345, in this case, the worth of the invoice parameter is employed as an index in an invoices table within the database. The analyst should change the worth of invoice and check if the corresponding invoice number details are displayed within the application or not.

4. Directory traversal and file inclusion: Web servers and web applications implement authentication mechanisms to regulate access to files and resources. Web applications use server-side scripts to incorporate different types of files and manage images, templates, load static texts, etc. But there also are security vulnerabilities if these input parameters aren't correctly validated. In order to see which part of the web application is liable to input validation bypassing, the analyst must enumerate all parts of the application that accept content from the user. Few checks which will be performed here are:

• If there is any request parameters used for file related operations.
• If there are any interesting variables.

3.png

Figure 3. Insecure direct object reference (IDOR) attack

4.png

Figure 4. Directory traversal attack

As shown in Figure 4, the next stage of testing is analyzing the input validation functions present within the web application. To successfully test for this flaw, the analyst has to have knowledge of the system being tested and also the location of the files being requested. A couple of examples for the following scenario are as follows:

http://example.com/getUserProfile.jsp?item=../../../../etc/passwd

http://example.com/index.php?file=http://localhost:8080

5. Cross-site request forgery: As shown in the Figure 5, Cross-Site Request Forgery (also popularly known as CSRF) is a type of web security attack that forces a user to execute unintended actions on an internet application within which they are currently authenticated. In order to test for CSRF vulnerability within the web application, audit the web application to establish if its session management is vulnerable. If session management relies only on client side values (information available to the browser), then the web application is vulnerable. Client-side values refer to cookies and HTTP authentication credentials (Basic Authentication and other sorts of HTTP authentication; application-level authentication). To perform the exploitation of the CSRF vulnerability, the tester then searches for HTML forms within the application and makes an HTML web page with some hidden fields and hosts it on an area server. Submit such WebPages after logging web application. If the page submits the malicious request successfully, CSRF is exploited.

6. Server side request forgery: As shown in the Figure 6, Server-side request forgery (SSRF) is a type of web security vulnerability that enables an attacker to mislead the server-side application or web server to form a call back connection to itself and in other cases also to the other web-based services within the organization’s infrastructure or to an external third-party system. Manual detection of the Server-Side Request Forgery vulnerability consists of making a careful analysis of the HTTP Requests, taking the inputs parameters and headers whose input values are whole or partial URL references to other internal web resources within or external to the web application.

4.2.4 Authentication testing

Authentication is the mechanism of attempting to perform the verification of the digital identity of the sender in the communication channel. A commonly used example of the authentication process is the login mechanism. For testing the authentication schema, tester need to first understand how the authentication process works and use that information to attack the authentication process considering its flaws and weaknesses. However, most of the web applications have a requirement to perform the authentication process to gain access rights to any sensitive or private information or to execute the tasks therefore not every authentication method is able to provide suitable security to the application. For performing the authentication testing, checks to be conducted are as follows:

5.png

Figure 5. Cross site request forgery

6.png

Figure 6. Server-side request forgery (SSRF) attack

1. Credentials over an encrypted channel: Testing for credentials in transit refers to the verification of the user's authentication data being transmitted via an encrypted channel (SSL/TLS) to avoid the data from being intercepted by any intruders or malicious users. The analysis focuses simply on trying to know if the information travels unencrypted from the web browser to the web server, or if the web application takes the acceptable and required security measures by employing a protocol like HTTPS. The fact that the network traffic is in encrypted form does not necessarily mean that it is completely safe.
2. Default Credentials: Web applications often make use of popular and free or commercial software which has the capability to be installed on web servers with minimal configuration or any customization by the web server administrator. This software even has default user credentials for initial authentication and configuration which are not changed by the application admins or owners. After gathering enough information about it, the tester can find and explore for administrative/login portals and try brute forcing them with default user credentials considering the exact software along with its version.
3. Weak logout mechanism: Account lockout mechanisms are accustomed to preventing and mitigate the brute force password guessing attacks. Accounts are typically locked after 4 to 5 unsuccessful attempts for login and might only be unlocked after a determined time slot with the help of a self-service unlocks mechanism, or intervention by an administrator. To assess the capability of the account lockout mechanism to prevent brute force password guessing, try to enter invalid login credentials by using the incorrect password innumerable times, before using the valid password to verify that the account was locked out.
4. Bypassing authentication schema: For testing the authentication schema, you might require understanding or prior knowledge of how the authentication mechanism works and using that procedure information to bypass the authentication process. There are several methods of bypassing the authentication schema that is employed by a web application that should be tested:

• Direct Page Request (Forced Browsing): If an online application implements access control only on the login page, the authentication schema is also bypassed. As an example, if a user directly requests a singular page via forced browsing, that page may not check the credentials of the user before granting access.
• Parameter modification: Another problem related to authentication design is when the web application verifies a successful login on the premise of a group value parameter. A user could modify these parameters to comprehend access to protected areas without providing valid credentials.
• Session ID Prediction: Most commonly, web applications make use of session identifiers or session IDs to manage the authentication process. Therefore, if session ID generation is predictable, a malicious user can be ready to find a legitimate session ID and gain unauthorized access to the application, impersonating a previously authenticated user.

5. Insecure cache management: Testers need to make sure the testing web application doesn't leak any sensitive information into the browser cache. To do this, they'll certify for each page that contains sensitive information the server instructs the browser to not cache any data. Such a directive should be issued within the HTTP response headers with the subsequent directives:

Cache-Control: no-cache, no-store

Expires: 0

Pragma: no-cache

These directives are generally robust, although additional flags for Cache-Control are also necessary such as:

Cache-Control: must-revalidate, max-age=0, s-maxage=0

6. Weak password policy: Testers must check for the following to evaluate the health of the password policy such as:

• Password complexity
• Minimum length of password
• Whether users can set the new password as the old one
• Whether users are forced to change password after password recovery when password is sent in plaintext over Email/SMS

7. Weak password change: The forgot password and alter password functionalities should be tested for the following:

• Check if the change password functionality asks for current password or not. If it doesn’t, there's a prospect of CSRF attack.
• Check if the users can manipulate or subvert the password change or reset process to vary or reset the password of another user or administrator.
• Check if the password reset tool shows you the password; this offers the attacker the flexibility to log into the account, and unless the application provides information about the last log within the victim wouldn't know that their account has been compromised.

4.2.5 Session testing

Web applications consist of implementations of different processes and mechanisms for the storage and validation of the user credentials for a predetermined time. This type of mechanism is called Session Management. For testing the session management mechanism, the tester needs to check whether the session cookies and session tokens are being created in a secure and unpredictable manner. During the testing of session management functionality, the checks to be conducted are as follows:

1. Session management schema: The analysis of the session ID variables should be performed to determine presence of easy to guess or predictable data patterns. Session ID analysis could also be manually executed or by using Burp Suite to conclude the similar data patterns within the Session ID content. Manual checks should include comparisons of Session IDs issued for the identical login conditions – e.g., the identical username, password, and IP address.
2. Cookie attributes: Cookie is a small text that resides on clients’ desk. The attributes of a cookie to be tested are:

• Secure attribute: It is a cookie attribute that instructs online browser to forward the browser cookie considering that the HTTP request is being sent over HTTPS (HTTPS over SSL). This will prevent the browser cookies from being passed as requests in an unencrypted form. Secure attribute of a cookie should be set to true.
• HTTP Only attribute: This attribute is employed for preventing attacks like session details exposure since it does not allow the access to a cookie via JavaScript which is a client side script. The HTTP Only attribute of a cookie should be set to True.
• Domain attribute: This attribute is employed for verifying the domain of the cookie against the server’s domain to ensure that the HTTP request is created.
• Path attribute: It plays a significant role in the scope setting of the cookies in relation to the specific domain. In addition to this, the path of the URL that the cookie is valid for is to be mentioned explicitly. The cookies will be sent inside the request if the path and the domain are matched.
• Expires attribute: The Expires tag attribute is used for:
  • setting persistent cookies
  • restrict the time span if the session exists for a long span
  • setting the browser cookie to a past date in order that it gets deleted fast

3. Session fixation: Session Fixation vulnerability occurs when a web application performs the user authentication without performing the validation of the prevailing session identifier, henceforth continuing with the use of the same session identifier already assigned to the user in the previous session. The tester should make sure that a replacement session ID is issued upon a successful authentication.
4. Logout functionality: Session termination may be a crucial part of the session lifecycle. A secure session termination requires a minimum of these next components:

• Logout UI (User Interface): Verification of the functionality of the sign off option within program. For the testing purpose, the tester should view every web page from the perspective of a user who wants to sign off from web application.
• Session Timeout: Analyst should verify whether the application logs out a user due to lack of activity in the web application for a specific period of time, verifying that it should be considered unacceptable to reuse same session and also to ensure that no data gets stored in the web browser cache. The proper value of the session timeout is dependent on the purpose of web application and that a balance of security and purposefulness is maintained.
• Server Side Session Termination: Primarily, the cookie values should be stored in the browser that is accustomed for session identification. Trigger the exit function and analyse the application’s response behaviour, specifically in the case of session cookies. Observe and then navigate through the pages that are only visible in an authenticated user’s session. It should be ensured that no data should be accessible by the unauthenticated users which are only permissible to be viewed and accessed by an authenticated user.

5. Session puzzling: This type of vulnerability takes place in an application which makes use of the same session cookie for multiple sessions. The attacker can easily access the web pages in an order not predictable by the application developers so that the session variable is ready in one scenario then utilized in another scenario. This type of vulnerability is identified and then taken advantage of by the enumeration of all session variables employed by the web application and in which situation they are considered valid.
6. Concurrent user sessions: It is considered suitable to recommend the applications for having user functionalities that enable the real-time verification of active sessions, monitoring and alerting the original users regarding the concurrent login sessions and also provide a facility for terminating the sessions remotely and manually, also there should be tracking functionality of the account activity record by keeping a record of many client details such as IP address, user-agent, login date and time, idle time, etc. The analyst can check the presence of concurrent user sessions by logging in to the identical user account from different browsers.

4.2.6 Input validation testing

Input validation, also popularly known as data validation, is the testing technique done on any user-supplied input parameter on the web application. Input validation should mitigate any improper or inaccurately formed data from being inserted or stored into the application’s information system. Because it is typical to identify any malicious user who is trying to attack software, web applications should verify and perform the validation of all the input that is entered into the web application. Input validation mechanism should take place when input data is received from an external third party and especially when the data is coming from an untrusted data source. Injection attacks, memory leakage, and compromised systems can be caused due to improper input validation. The following are the checks to be conducted during input validation testing.

1. Cross site scripting: There are mainly 3 types of Cross Site Scripting which are as follows:

• Reflected XSS: As shown in Figure 7, reflected XSS is a cross-site scripting attack which is very commonly found in web applications. In the case of website application that has the reflected xss vulnerability, it will allow the passing of the input data without any validation, and hence it will directly be sent to the client via the requests. Attacker's script or exploit code is most commonly found in Javascript, VBscript, and ActionScript. Tester first verifies each insertion point or input vector to detect any potential XSS vulnerabilities. For detecting this type of vulnerability, the tester will intend to make use of a specially generated user input into every insertion point (input field) that is present in the application.
• Stored XSS: As shown in Figure 8, Stored Cross-site Scripting (XSS) is the most dangerous of all XSS attacks. It is necessary for a web application to be vulnerable to stored cross site scripting attack to be able to allow users to store data. For testing the stored XSS, the tester needs to perform the identification of all insertion points for the user-supplied input data that are being stored into the back-end server of the web application and then they are being displayed by the web application. Followed by this, the attacker then inserts a specially crafted malicious javascript input vector into all the identified insertion data points.

7.png

Figure 7. Reflected XSS attack

8.png

Figure 8. Stored cross-site scripting attack

9.png

Figure 9. DOM based cross site scripting attack

• DOM-based XSS: As shown in Figure 9, DOM-based cross-site scripting is a type of cross-site scripting attack related to the DOM (Document Object Model). This is a type of XSS vulnerability that is a result of the content on the dynamic browser-side of the javascript page taking the user data as input from the browser application and then doing malicious activities with it which might harm or affect the users data due to the execution of JavaScript code that has been injected into the application. The DOM based XSS vulnerability exists in a web application when the flow control of the program code is done by using the DOM elements along with an exploit script by the attacker to perform the modification of the functionality of the application or in other words, the flow control of the application.

2. HTTP verb tampering: For testing the HTTP Verb tampering vulnerability, the tester performs the analysis of the HTTP response from the web application to a variety of request methods for accessing the system objects. The tester should test this vulnerability by accessing all of these system objects with all the possible HTTP request methods for every single object that were identified during the web application’s spidering process. If the server at the web application allows the HTTP request method other than POST or GET request method, the test comes out to be a fail or the application is considered safe from HTTP verb tampering, considering that the test web application does not allow the other HTTP request methods. The only remediation is to disable the HTTP request methods other than the GET and POST request methods to the web application servers.

3. HTTP parameter pollution: To test this vulnerability, the tester tests by checking the web application's HTTP response after receiving many HTTP parameters under the same request method or same name; let us consider an example in which the parameter userid is inserted in the request parameters twice. Appending many HTTP parameters with the same name may result in the wrong interpretation of values by the application. With the help of these vulnerabilities to conduct the exploitation, the tester will be able to cause functional modifications or errors in the internal parameters to bypass the mechanism of input validation in the web application. The tester first has to perform the identification of any form action that allows the input of any invalidated user input data.

4. SQL injection: As shown in Figure 10, to perform the testing of SQL injection vulnerability, the tester first verifies whether they can inject any input into the web application in order to perform the execution of a user-controlled SQL query in the web application’s database. The tester first checks if the application takes user input without proper input validation and inserts it into the SQL queries directly. For an SQL Injection attack to be successful, it is necessary for an attacker to create an SQL Query which is syntactically correct to fulfil his malicious intentions. If an error message is returned by the web application after the insertion of into the user supplied input, generating a message stating an incorrect query, then it might help the attacker to craft and modify the logic of the existing application query. It helps the attackers to perform the injection attack successfully. There are a variety of methods that exist to perform the exploitation of SQL injection vulnerability in the web applications such as Union Operator, Blind SQL injection, Error based injection, Boolean conditions based injection, Out-of-band injection, and Time delay based injection.

10.png

Figure 10. SQL injection

11.png

Figure 11. LDAP injection

12.png

Figure 12. XXE injection

5. LDAP injection: As shown in the Figure 11, LDAP injection is a type of vulnerability which exists in the server side, and it is also popularly known as the server side attack, which allows the disclosure, modification and insertion of the sensitive information and data about the users depicted in an LDAP tree structure. This is performed by the manipulation of the input data parameters which is then forwarded to the addition, internal search and data modification functions. If a web application makes use of an LDAP server to perform the verification of the user credentials in the authentication mechanism and if it is having LDAP injection vulnerability, then the tester, we can conduct the bypass of the authentication check mechanism by the injection of an always true LDAP query into the existing query similarly like SQL injection, XML injection, X-PATH injection.

6. XML injection: XML Injection is a type of injection attack which is done by an attacker by injecting any XML (Extensive Mark-up Language) document into the application and checks for process by application. If the XML parser fails to perform the semantic verification of the input data then the application will send back a positive response and results in to successful attack. The tester first checks for the presence of a XML Injection vulnerability in the web application by inserting the XML meta characters such as ‘, , <, >, <!--/→ in the data insertion points. For example, consider that there exists an attribute like the following in the web application:

<node attrib='$inputValue'/>

Considering the condition where if the inputValue = foo’ is instantiated and then inserted as the attrib value shown as below:

<node attrib='foo'/>

Then this XML document is not considered valid.

By defining the new entities, tester can extend the set of valid entities. If URI is the entity definition, then the entity is known as an external entity. External entities usually intend to force the XML parsers for the purpose of accessing the URI specified resources, e.g., a file on a remote system or the local machine. As shown in Figure 12, this configuration makes the application vulnerable to XXE attacks (External XML Entity), which can in turn, be used to perform DOS attack on the local system to gain unauthorized access to perform unauthorized activities like accessing the files on the local machine or a remote system, scanning the remote machines, and perform DOS on the remote systems.

7. SSI injection: SSI Injection, also known as Server-Side Includes injection, is special directives that are parsed by the web server before forwarding this page to the user. Appending an SSI directive into a static HTML document can be done by the following: -

<!--#echo var=DATE_LOCAL →

to print the current date and time.

The first thing that is done by the tester while testing for an SSI Injection vulnerability is to check whether the web server supports SSI directives or not. Followed by the tester tries to find the page in the web application where the insertion point is present in order to submit any input data, then tester performs a verification of whether the application has implemented a proper input validation mechanism.

8. XPATH injection: XPath is a type of programming language that is specifically designed for the purpose of addressing various sections of a document in an XML format. To perform the XPath injection testing, it is first checked whether injection can be done with the XPath query into the HTTP request that is going to be read or interpreted by the application, hence this allows the tester to execute the user-controlled XPath queries. After the successful exploitation of this vulnerability, it becomes possible for the tester to perform the authentication mechanism bypass and then gain the access to the restricted information without any authorization.

9. IMAP/SMTP injection: The purpose of performing this test is to check whether anyone can perform the injection of any arbitrary IMAP/SMTP exploit payload commands and send it to the mail servers due to improper sanitization of the input data. This type of injection attack allows the unauthorized access to the mail server which should not be accessed from the Internet directly. The tester’s role is to perform the analysis of the application’s capability in the input data handling in order to detect the vulnerable input parameters. It is necessary for the tester to send a malicious request to the web application server during the input validation testing phase and then perform an analysis of the response. Finally, after the identification of all the vulnerable parameters, the tester needs to perform the determination of the level of injection that is possible in the application and further exploit the application by designing the test plan.

10. Code injection: To perform the testing of code injection, the tester need to perform the submission of the input data to be dynamically processed by the application’s web server. These types of tests can target different types of scripting engines present in the server-side, e.g.., ASP, JSP and PHP. In order to protect against these types of attacks, secure coding practices and proper input validation is required.

11. Command injection: Command injection, also popularly known as an OS command injection, is a type of attack which takes place through a web application interface by executing the OS commands on the web application server. The web interface is known to be vulnerable to this type of exploit if it is not properly sanitized. The tester will test if this vulnerability exists in the application or not by injecting an OS exploit payload or command to the web application with the help of an HTTP request.

12. HTTP splitting/smuggling: HTTP splitting and smuggling details are as follows:

HTTP Splitting: HTTP Splitting is a type of vulnerability that performs the exploitation of the lack of sanitization of input by allowing an intruder to do the insertion of CR and LF (Carriage Return and Line Feed) characters into the response headers of the web application and to perform the 'splitting' of the HTTP response into two different parts of the HTTP response body. The headers that are most likely to be used by an attacker for conducting this attack are Set-cookie and Location header. The analyst must first detect all the identify all the insertion points present in the application that will directly affect the HTTP response headers, and then perform the verification of whether the insertion of a CR+LF sequence was successful or not.

HTTP Smuggling: HTTP Smuggling is a type of vulnerability that involves different techniques in which a modified HTTP message body can be successfully parsed and then understood by various types of web browser agents or WAF (Web Application Firewall). This attack technique allows the attacker to send one type of request to one device while the other device receives a different type of request. HTTP Request smuggling further provides the facilitation of several possible exploitations like XSS, partial cache poisoning and also bypassing the firewall protection.

13. Host header injection: The main reason why the host header exists is there are situations when there are multiple web applications hosted on the same IP address by the single web server. The HTTP header (or host header) mentions explicitly the website or web application to perform the incoming HTTP/HTTPS request processing. The host header value is used by the web application server for forwarding the HTTP request to the specified web application. The tester checks for the proper validation of the value of this header field by providing another domain in the host header request field. This type of injection attack turns out to be successful when the web application server performs the input processing to send the request to a host controlled by an attacker. Web cache poisoning, Web cache deception and password reset poisoning can be performed by host header injection.

14. Server side template injection: SSTI vulnerabilities occur when the user supplied input data is integrated into the server-side template of the application in an insecure way this improper function setting on the server can cause a remote code execution. Server side template injection vulnerabilities are present in both text and programming language format. In normal text format, users can insert any type of text within the HTML program. Considering the programming language format, the user supplied input data must be inserted inside a template code statement. In both the cases the methodology for testing this vulnerability consist of the following steps:

• Detection of the insertion points in the application vulnerable to template injection
• Identification of the application’s template engine
• Creating an exploit code for the vulnerability exploitation

15. CSV injection: It is a type of injection attack that takes place when the web applications embed the untrusted input inside CSV files. CSV injections are also popularly known as the formula injection. Microsoft Excel or LibreOffice Calc which is a spreadsheet program can be used to open a CSV file, so any cells starting with ‘=’ will be understood by the software as a formula. The tester can check for CSV injection in web applications which have the functionality of generating and exporting the files of CSV format of user supplied data or user input.

16. Rate limiting: Rate Limiting, also popularly known as request limiting, is primarily used for controlling the amount of incoming and outgoing traffic to or from the server or network. Implementation of the limit on upcoming requests to the server is to allow for a better flow of data and to increase the security by preventing attacks such as Distributed DoS attack. Rate Limiting can be checked in the following components:

• HTML Forms: Any application having login forms, contact forms, registration forms, feedback forms, submission forms, etc., need to be checked.
• Emails: Any application having send email functionality can be verified for request limiting.
• OTPs: Any application having OTP functionality can also be tested for request limiting.

4.2.7 Business logic testing

For testing the flaws present in the business logic of a multi-functional dynamic web application, it requires unconventional method. If an application's authentication mechanism is developed with the intention of performing a standard procedure following the same steps again and again in a specific order to authenticate a user, the pattern become predictable by any potential attacker and then they might be able to mess up with the actual web application logic and framework. For conducting these tests, the testers to think differently, develop abused and misuse cases or in other words, attack scenarios and use multiple testing techniques followed by the software functional testers. The application must be able to have a functionality to check whether logically valid data is being directly sent to the front end and the server side of an application. Some of the web controls or testing indicators for the business logic testing is as follows

1. Unrestricted file upload: The file upload functionality can pose a considerable risk or threat to the web applications if the file uploaded by any anonymous user turns out to be malicious after uploading it to the web servers or the application servers. The primary step in the invalidated file upload functionality attacks is to send the malicious code to the target system. In order for this harmful attack to be successful, the attacker needs to find a way to get the code executed at the user’s end. One of the most important factors while testing this vulnerability is to check what the application does with the file which is being uploaded, where it is stored and how it will be executed.

The security analyst should ensure if the application has the file upload functionality, then it should not allow the uploads of files having malicious extensions that are not relevant to the application’s intended functionality. The analyst should also find ways to test if it is possible to bypass any filtering that the developer might have employed in the application’s file upload functionality in order to mitigate and avoid any unwanted file uploads. The analyst performs the front-end (graphical user interface) functional valid testing to check that only the valid values are accepted in the application. Next, the analyst looks for variables where the insertion points take the cost or quality values. After the insertion points are found, the tester starts with the interrogation of the input fields with logically invalid data like unique identifiers. Tester has to check if they are working properly or not and that it does not accept any logically invalid data.

In this paper, the main emphasis made on the most common vulnerabilities found in the web applications.

The paper also discusses in detail about the tools that can be used for automated testing such as Nmap, Acunetix, Nessus, OWASP ZAP, Dirbuster and many other such tools. The most common and popular tool used for penetration testing is tested by the white hat hackers/security analysts using automated and manual testing procedures. The paper provides the security testing techniques that can be done on any web application in an ethical way. The testing techniques are broadly categorized into two types, Black box and Gray box testing. This paper concludes that vulnerability assessment is the identification of the security vulnerabilities and penetration testing is the real time simulation of how an actual exploitation or attack will take place when the weakness, misconfiguration or security flaw existing in the web application. Burp Suite Professional. It can be used for manual exploitation as well as automated crawl and auditing of the web applications. This paper also suggested many burp extensions that can be installed in Burp Suite and can be helpful during the VAPT. Tools which can be helpful for manual exploitation are Metasploit, Wireshark, Burp Suite and many such tools. This paper concludes that VAPT is highly recommended to be performed in every organization as nowadays the data is stored on the internet, and this can pose a threat to the organizations reputation or money if any attack takes advantage of the security flaws existing in the organizations network. As a future work, we attempt to work on the VAPT process of mobile applications.