go back to the blog

Web Application Penetration Testing: Know the Vulnerabilities in Your Application

  • 29/09/2011
  • no comments
  • Posted by EuroSTAR

Gartner reports that, 75% of attacks occur at the application level. Going ahead, a Forrester survey states that “people are now attacking through applications, because it’s easier than through the network layer.” Despite using firewalls and intrusion detection or prevention systems, hackers still are able to intrude through such security systems, accessing your data and go undetected.

With the emergence of new technologies like Web2.0 and Cloud Computing, where information sharing and data storage with third party vendors happen more often, the probability of such intrusions increases. In simple words, it is not possible to deliver services or solutions without using any such third party services. Thus, it becomes very critical to secure your applications by proper means and make sure no hacker gets access to your data.

One of the mediums of avoiding such intrusions is through “Web Application Penetration Testing”. It’s the best way of assessing the chances of intruder accessing your website and your web application’s capacity to withstand that attack. The process employs a vibrant analysis of all the applications for any weaknesses, technical flaws, or vulnerabilities. During this test if any security issues are found, they are escalated to the respective department along with a report on its impact and a technical solution. To avoid an unproductive scattergun approach, the finest technique to carry out penetration test is to conduct a sequence of meticulous and repeatable tests, and to work through all of the different application vulnerabilities. Secure your web apps by implementing the following techniques:

1) Sanitize the data coming from the browser:  The data that is sent by the browser can never be trusted. The data that browser sends generally includes submitted form data, uploaded files, cookie data, XML, etc. If you fail to sanitize this incoming data from unwanted data, it may lead to vulnerabilities like cross site scripting, SQL Injection, and a numeral other attacks to thrive against your web application.

2) Validate data before form submission and manage sessions: Most of the vendors consider cross site request forgery (CSRF) as one of the most serious vulnerabilities

in any web application. CSRF is possible when a web application accepts form submission data without verifying if it came from a user web form that the web application  had just produced and served.

3) Configure the server in the best possible way: This is the easiest and the best possible way to protect the information. Most of the administrators are aware about

the security strength that it provides to the users but not all focuses on it. There are so many guides available on net to help you configure your server in the right direction to achieve security. Some key steps for hardening most web servers include:

• Maintain and update proper security patches
• Kill all the redundant services and shutdown unnecessary ports
• Confine access rights to folders and files
• Employ SSH rather than using telnet & FTP
• Install efficient anti-malware software

The above mentioned are the most important steps to be remembered when thinking about testing any web application using penetration testing. In addition to these, you can also concentrate on some small steps which will prove very useful to strengthen your web applications. These can be; using strong passwords (which can be combination of alphanumeric and special characters), clearing stored passwords, clean up the old crap, etc.

Blog post by

go back to the blog


Leave your blog link in the comments below.

EuroSTAR In Pictures

View image gallery