Web Penetration Testing

Web Penetration Testing

What is Penetration Testing

A penetration test, also shortened to pen test, is a simulated cyber attack on your website to test the vulnerabilities of the system, including website, server and social vulnerabilities. The objective of the test is to sure up vulnerabilities and manage the risks should a cyber attack occur. 


Pen Testing Methodology

  1. Scoping – firstly we understand the requirements of your business so we can scope out the test needed on your website or application
  2. Reconnaissance – we gather relevant intelligence, normally all pages of the website or application for us to test
  3. Scanning Tools – are used to see how the system can be penetrated
  4. The Test – the application or website is assessed for vulnerabilities and if access can be gained
  5. Maintaining Access – once we have gained access we attempt to retain access
  6. Analysis & Reporting – the test will be analysed and a full report put together by a qualified tester.
  7. Re-Test – once vulnerabilities have been identified and systems adapted accordingly, a re-test can take places to assess the patches installed.


Testing Scope

  1. External / Internal Testing – externally testing means ethically trying to hack web applications such as websites, hosting, emails and domains in order to access critical data. Internal testing is a simulating what could happen in an attack from behind the firewall, such as a rogue employee or what would happen if credentials were obtained through email phishing.
  2. Greybox Pen Testing – this is where a tester is only given the name of the company and then has to figure everything else out. The security personnel are aware of an impending ethical hack and can monitor what is being done.
  3. Blackbox Pen Testing – This is where the ethical hacker is only given the name of the company and the security personnel are not informed of the ethnical hack, this most realistically staging a real-life event.
  4. Whitebox Pen Testing – this is the opposite of a double-blind test in which case the attacker and security personnel are aware of everything and work together to identify vulnerabilities.


Types of Testing

  1. Application Testing – testing web applications such as websites, apps, emails, hosting and domains.
  2. Software Testing – cyber criminals commonly exploit newly built software after developers have rushed to deliver the software in line with timescales.
  3. Social Engineering – Businesses are based on people and it only takes one slip by an employee and systems can be penetrated. We simulate a range of tactics to test employees.
  4. Device security testing – mobile app usage is on the rise, where companies run apps for customers then these will be tested.
  5. Hosting security testing – we test whether a host’s operating systems and servers are up to date and provide protection against hackers.
  6. Wireless testing – hackers can gain control through unsecured wireless networks. We assess for any vulnerabilities via the connectivity of your business.
  7. Firewall testing – the configuration on firewalls can become out of date. We test if there are any weaknesses.
  8. Network testing – once inside a network a hacker can move laterally and begin to access more data. Weaknesses within the network are assessed.


Benefits of Web Penetration Testing

Penetration Test will help companies do the following:

  1. Identify the most vulnerable routes your business is exposed
  2. Improve access rights to users or customers
  3. Find any weaknesses where data could be leaked
  4. Improve the security around the data you store
  5. Improve authentication controls


Why do you do a Penetration Test

Cyber security threats are increasing all the time and Covid-19 has just exacerbated the need for tighter security. Commonly, larger firms conduct a penetration test annually to assess any vulnerabilities. Other times companies will commission pen tests include:

  1. During a merger or acquisition process
  2. Bidding for contracts that require a pen test in order to win the work
  3. Launching a new website or applications
  4. Changes to infrastructure