This article was contributed by Ankit Pahuja, Marketing Lead and Evangelist at Astra Security.
It's no secret that web application firewalls (WAFs) are critical for keeping websites secure. A WAF is designed to protect web applications from malicious input and activity and can help thwart some of the most common attacks on web applications.
However, WAFs are not perfect, and they should not be relied upon as the only line of defense against attackers. That's where manual penetration testing comes in. We will discuss what a WAF does, why it's not enough, and what goes into a manual penetration test. We'll also take a look at the different types of penetration testing and the stages involved in conducting a successful test.
What Does a WAF Do?
A web application firewall is a software or tool designed to inspect all traffic coming into and out of the application. It looks for malicious or unauthorized activity and can help protect against common attacks such as SQL injection, Cross-Site Scripting (XSS), and buffer overflows.
A WAF can also be used to enforce security policies on the web application, such as requiring strong passwords, disabling certain features, or restricting access to certain parts of the site.
While a WAF is an important part of any website's security posture, it should not be seen as the only line of defense. Attackers are becoming more sophisticated every day, and they will find ways to bypass a WAF if they are determined enough. That's where manual penetration testing comes in.
Manual penetration testing
Manual penetration testing involves manually simulating attacks on a web application to identify vulnerabilities that may exist. The pentester will typically start by researching the target application and identifying potential attack vectors.
They will then try to exploit these vulnerabilities using a variety of methods, including brute forcing, fuzzing, and reverse engineering. Once the vulnerabilities have been identified, the pentester will document them in a report along with recommendations for how to fix them.
This is different from automated penetration testing as it does not rely on tools to do any of the testing. Tools may be used for scanning but the essential penetration tests will be done by hand in manual testing.
Why is Manual Penetration Testing Necessary?
A WAF can help protect a web application from known attacks, but it cannot identify all possible vulnerabilities. For that, you need someone who knows how to look for weaknesses and exploit them – someone with experience in manual penetration testing.
A good pentester will know how to look for common attack vectors as well as exploits that are specific to your web application and infrastructure. They would also be up to date on the newest security threats and how to defend against them.
What does penetration testing web applications involve?
This depends on several factors. Broadly speaking, penetration testing may involve the following:
- Researching the target web application and its infrastructure. This includes looking for publicly available information about the application, such as source code or configuration files that could be used to identify vulnerabilities. It may also involve scanning internal networks for open ports and other potentially exploitable services.
- Identifying potential attack vectors by analyzing the results of previous steps. These vectors may include SQL injection, Cross-Site Scripting (XSS), buffer overflows, file inclusion attacks, and so on.
- Exploiting these vulnerabilities. These exploits can range from simple to complex depending on the target application and infrastructure. In some cases, they may require extensive knowledge of the application's source code or configuration files whereas in others they may require nothing more than an Internet connection and a web browser.
- Document these vulnerabilities in a concise report along with steps to fix them. These recommendations will typically include updating your server software, disabling unnecessary services, applying patches when available (especially on shared hosting servers), and changing default passwords.
Types of penetration testing
There are many different types of penetration testing, but they all share common goals: identify vulnerabilities and provide recommendations for mitigating them. The type of penetration test that is right for your website depends on the nature of your website and current security measures. Here are some of the most common types of penetration tests:
Black box – Also known as “blind” testing, black box testers have no prior knowledge of the target application or its infrastructure. They rely on information that is publicly available, such as source code or configuration files, to identify potential attack vectors.
White box – Also known as “clear” testing, white box testers have full knowledge of the target application and its infrastructure. This includes access to source code, configuration files, and other internal documentation. White box testers may also be able to exploit vulnerabilities that are not accessible to black box testers.
Grey box – A combination of black and white box testing, grey box testers have some knowledge of the target application and its infrastructure but not necessarily enough to exploit all vulnerabilities. This allows them to test for vulnerabilities that are not detectable with only a black or white box approach.
Stages of penetration testing
Most software penetration tests follow a similar five-stage process:
- Reconnaissance – This stage involves gathering information about the target application and its infrastructure. This may include researching publicly available information or scanning internal networks for open ports and other exploitable services.
- Vulnerability discovery – This stage involves identifying potential attack vectors by analysing the results of reconnaissance efforts. These vectors may include SQL injection, Cross-Site Scripting (XSS), buffer overflows, file inclusion attacks, and so on.
- Exploitation – This stage involves exploiting vulnerabilities to gain access to sensitive data or systems. In some cases, this may require extensive knowledge of the target application's source code or configuration files.
- Post-exploitation – Since penetration testing is a tough process, the second time around a hacker would want direct access. Post-exploitation involves leaving backdoors, creating false accounts with privileges, changing passwords, etc. to easily access systems and data later on. This is only to test how a hacker would perform these activities. After testing these actions will be reverted.
- Reporting and mitigation – This final stage involves documenting the results of the penetration test in a formal report, which will typically include recommendations for mitigating discovered vulnerabilities. These may include updating your server software, disabling unnecessary services, applying patches when available (especially on shared hosting servers), and changing default passwords.
Web application firewalls are an important part of any organization's security posture, but they should not be considered a silver bullet. A WAF can help protect your website from common attacks, but it is not foolproof.
It is essential to supplement your WAF with regular manual penetration testing to identify vulnerabilities that may otherwise go undetected. Manual penetration testing is the only way to find some stubborn vulnerabilities that go undetected through other testing methods. It provides the best assurance that your web applications are secure.
About the author
Ankit Pahuja is the Marketing Lead & Evangelist at Astra Security. Ever since his adulthood (literally, he was 20 years old), he began finding vulnerabilities in websites & network infrastructures. Starting his professional career as a software engineer at one of the unicorns enabled him in bringing “engineering in marketing” to reality.
Working actively in the cybersecurity space for more than 2 years makes him the perfect T-shaped marketing professional. Ankit is an avid speaker in the security space and has delivered various talks in top companies, early-age startups, and online events. You can contact him on Linkedin.