Hopefully, you have had a chance to read our primers on preparing for internal penetration tests and external penetration tests. If not, we’ve linked to them for your convenience. Today, we are focusing on another key area: OWASP penetration tests.
Before we discuss preparation, I want to cover what an OWASP penetration test (pen test) is not. It is not an external pen test. Most of the elements and tools involved in an external pen test are used in an OWASP pen test, but that is not enough. It is a test designed to validate the security controls of your web application and leverages tools like Nikto, owasp-zap, and Burpsuite among others, which are specifically used for assessing the security of web applications. That should clarify what it is and what it is not.
With that out of the way, let us discuss how to prepare for an OWASP Pen Test. I want to break this down into three primary areas:
- Scope
- Environment
- Credential vs non-credential testing
Scope
The first thing is to identify which specific websites and applications you want to test.
The next step is to identify the scope of testing. For example, if you have an online shopping cart with 500 items in your inventory, you do not need to test five hundred different pages. Typically, the item content would be rendered dynamically, so an error on the page for one item will likely be the same error for another.
Identify any pages you have that contain input fields and include them in the scope to be evaluated. This will ensure that the fields are not subject to injection attacks which could expose sensitive information or provide access to a back-end database. You also want to make sure you include your APIs in the testing. Unsecure and improperly configured APIs have grown to be a new favorite attack vector of threat actors.
Environment
The question often comes up about whether we should conduct the test against the production or test environment. In most cases, I recommend customers use their test environment, so they don’t risk taking down their production site or database if something goes wrong.
However, if you do not have a dedicated test environment and need to test against production, I recommend the following:
- Ensure you have current backups of the site, applications, and back-end database, if applicable.
- If possible, have the testing conducted during off hours to minimize the potential impact to your business.
- Make sure to provide the pen testing company with your contact information and be sure to get theirs as well. Have the information readily available during the testing if an event occurs that requires the testing to be paused or stopped.
- Clearly define who, when, and how someone should be contacted for a potential emergency. Providing an escalation path or call tree ahead of time will eliminate potential confusion if an emergency arises. During the pen test be sure to keep the lines of communication open with your pen testing vendor.
Credential vs. non-credential testing
There is no right or wrong answer when deciding to conduct a test using account credentials or forgoing that to do a non-credentialed test. It really depends on what you want to accomplish. There are significant benefits to conducting a credential test as it will readily reveal what a person with a credential account could accomplish once they login to the application. Are they able to gain access to back-end systems? Can they elevate their level of access? Is their access overprovisioned (too much access)? A credentialed test could uncover a misconfiguration that might lead to the corruption of the site/application, or allow someone to drop malicious software on your site.
Remember, penetration testing is a preventive measure. Just like having your car routinely inspected, you want to make sure it is safe before something bad happens. You want the good guys (your pen testing company) to identify potential problems, so you can fix them before the bad guys find them.
If your organization is looking to validate the security of its web applications, our expert team is here to help. Click here to learn more about our penetration testing services and take the next step toward protecting your applications from potential threats.
