Introduction
Web Application Security Testing (WAST) or webapp security testing for short, is a proactive approach to identifying and mitigating vulnerabilities in web applications. It serves as method for meticulously searching your web application for weaknesses that could be exploited by threat actors. For a company with an online presence web application security is essential because without it, it would be analogous to ensuring all doors are locked and most windows are secure before leaving your house but leaving the kitchen window cracked open. A threat actor just needs one vector to breach a company’s environment. By rigorously testing a web applications security, you can fortify against potential breaches, guaranteeing the confidentiality, integrity, and availability of the network, systems, and data.
Generalized Breakdown of WAST Components:
Vulnerability Identification: Identification of vulnerabilities usually occurs through automated and/or manual means of testing. A security assessor may manually review application code looking for vulnerable functions or automated tools might meticulously examine the application's code, configuration, and architecture dynamically or statically to uncover potential weaknesses exploitable by threat actors.
Risk Assessment: When reviewing the results detected by manual and/or automated means the security assessor may classify the vulnerabilities by CVSS (Common Vulnerability Scoring System) score and/or CWE (Common Weakness Enumeration). The whole process may be used to evaluate the severity and potential impact to allow for prioritization of fixes to address the most critical issues first.
Reporting and Remediation: At this stage the security assessor would distribute a comprehensive report outlining identified vulnerabilities and recommendations for remediation. It would then be the responsibility of the asset owner to then implement patching and/or incorporates security best practices to help mitigate the detected vulnerabilities.
WAST Benefits (it can assist in the following):
Prevention of data breaches and protection of sensitive information. By detecting and mitigating known webapp vulnerabilities it closes possible vectors threat actors can use to penetrate network defenses and gain access to sensitive data.
Improving the overall security posture of a web application. By mitigating detected vulnerabilities, it will make it more challenging for threat actors to gain unauthorized access and interrupt operations.
Building trust and confidence with users and customers. Continuously monitoring and securing your web applications demonstrates that there is a commitment to security.
Staying in compliance with the variety of regulations and frameworks. With regulations and frameworks like PCI-DSS, HIPAA, FedRAMP, ProtectedB, ISO 27001, etc… there are a variety of security control requirements and regulatory compliance that may need to be followed in order to operate in certain industries and parts of the world.
Common Webapp Security Testing Techniques (Not an extensive list):
Webapp pentesting: This involves evaluating the security of a webapp by simulating real-world attacks. The goal of this testing is to identify vulnerabilities, security control failures, and business logic flaws in order to assist webapp owners in addressing them to prevent exploitation by threat actors.
Vulnerability scanning: This is a security practice that uses automated vulnerability management tools, such as Nessus or Nexpose to identify and assess potential security misconfigurations or vulnerabilities within a web server. This method is designed to proactively discover potential exploitable vulnerabilities and misconfigurations, allowing organizations to address and mitigate them before they can be exploited by threat actors.
Webapp vulnerability scanning: This is a security practice that involves using automated dynamic application security testing (DAST) tools, such as WebInspect, NetSparker, etc… to identify and assess potential security weaknesses or vulnerabilities within a webapp. This method is designed to proactively discover issues that could be exploited by threat actors, allowing organizations to address and mitigate these vulnerabilities before they can be used for malicious purposes.
Code review: This security practice focuses specifically on identifying and mitigating security vulnerabilities in a webapp source code using manual analysis methods and/or static application security testing (SAST) tools, such as Fortify SCA, Veracode, Synk, SonarQube, etc... The key aim is to meticulously analyze the code in order to identify potential security risks, ensuring alignment with best security practices, and fortifying the overall security posture of the webapp.
Most Prevalent Web Application Vulnerabilities (100% obtained from OWASP Top 10 for 2021):
A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
A02:2021-Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.
A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.
A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.
A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
Reading Material
In this section I noted some material that can assist in gaining some essential knowledge on webapp security testing. Learning webapp security testing can equip you with a diverse skill-set, such as understanding software development processes, identifying vulnerabilities, analyzing risks, and writing test scripts. Cybersecurity is a constantly evolving field that requires critical thinking, problem-solving, and staying updated with the latest technologies and security threats.
OWASP WSTG (Web Security Testing Guide)
OWASP created the WSTG that represents an extensive guide for assessing the security of webapps and web services. It was developed through collaborative efforts of cybersecurity professionals, it offers an extensive framework of best practices embraced by pentesters and organizations worldwide. (https://owasp.org/www-project-web-security-testing-guide/)
Books (Not an extensive list)
"The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto
"The Tangled Web: A Guide to Securing Modern Web Applications" by Michal Zalewski
"Web Application Security, A Beginner's Guide" by Bryan Sullivan and Vincent Liu
"Practical Web Penetration Testing: Secure Web Applications Using Burp Suite, Nmap, Metasploit, and More" by Gavin D. O'Reilly
Blogs (Not an extensive list)
Portswiggers Blog (https://portswigger.net/blog)
Synops Web AppSec (https://www.synopsys.com/blogs/software-security/category.web-appsec.html#1)
HackerOne Knowledge-Center (https://www.hackerone.com/knowledge-center)
Acunetix Blog (https://www.acunetix.com/blog/)
Veracode Blog (https://www.veracode.com/blog)
Tools (In no particular order and not an extensive list)
OWASP ZAP aka Zed Attack Proxy: Is an open-source tool developed by OWASP and widely used for webapp security testing. It is similar to Burpsuite, but not as robust. It can be used for both automated and manual testing.
Burp Suite: Is known as being the swiss army knife of web application security. Burpsuite contains a comprehensive testing toolkit, combining a scanner, proxy, spider, and various modules to test a variety of vulnerabilities.
W3af (Web Application Attack and Audit Framework): Is an open-source web application security testing framework. The purpose of W3af is to assist security professionals and developers in discovering and exploiting security vulnerabilities detected in webapps. A variety of tools and plugins are available in W3af to assist in the discovery and assessment of potential security issues discovered in web applications.
Acunetix: Is a webapp security scanner developed by Acunetix Ltd. Acunetix excels in black box testing and deep analysis, catching hidden flaws like Blind XSS with its AcuMonitor. It allows for automation and integration for identifying, assessing, and reporting vulnerabilities in web apps.
Arachni: Is another webapp scanner that can identify sql injection, cross-site scripting (XSS), and other common webapp vulnerabilities. It has the ability to detect weaknesses in the webapps API, audit client-side code, and generate detailed reports.
Just to name a few examples.
WAST Practice: Vulnerable Web Applications
BadStore - Badstore.net is a vulnerable host that can be downloaded from VulnHub. It was initially developed to enhance security professionals understanding of how threat actors exploit webapp vulnerabilities. The lab provides guidance on minimizing webapp exposures.
BodgeIt Store - BodgeIt Store is a deliberately vulnerable webapp created by psiinon is aimed for individuals who are new to penetration testing and cybersecurity. It provides a simulated environment where users can practice and enhance their skills in identifying and addressing security vulnerabilities. It can be downloaded from psiinon/bodgeit github or launched on AttackDefense Pentester Academy website.
bWAPP - bWAPP (Buggy Web Application) is a deliberately insecure webapp created for security testing. It is a free and open-source project that is available from several locations like Pentester Academy, Sourceforge, and Vulnhub to name a few. bWAPP provides a platform for those that are interested to practice and improve their web application security skills in a safe environment.
Damn Vulnerable Cloud Application - is a python based webapp that simulates a vulnerable AWS Lambda function with pre-built exploits. It's designed to help security professionals learn how to identify and exploit privilege escalation vulnerabilities in AWS environments.
Damn Vulnerable Node Application(DVNA) - is a deliberately vulnerable web application built using Node.js. It's designed to help developers and security professionals learn about and practice identifying, exploiting, and fixing common web application vulnerabilities associated with Node.js.
Damn Vulnerable Web App (DVWA) - It contains various security vulnerabilities that are commonly found in real-world web applications. These vulnerabilities are categorized into different difficulty levels, allowing users to start with simple challenges and gradually progress to more complex ones as they gain proficiency in identifying and exploiting security flaws.
Damn Vulnerable Web Services (DVWS) - It is a purposely vulnerable web application featuring a variety of exposed web service components, providing an immersive environment for hands-on learning of real-world web service vulnerabilities.
OWASP Juice Shop - An open source platform designed to enhance webapp security skills through a diverse array of hacking challenges spanning various levels of difficulty.
OWASP Security Shepherd - OWASP Security Shepherd serves as a comprehensive web and mobile application security training platform, meticulously crafted to enhance security awareness across a diverse range of skill sets.
WebGoat.NET - It encompasses a comprehensive range of generic security flaws that are relevant to a broad spectrum of web applications.
OWASP VWAD (Catalog of OWASP Vulnerable WebApps)
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a comprehensive and well maintained registry of known vulnerable web and mobile applications currently available. These vulnerable web applications can be used by web developers, security auditors, and penetration testers to practice their knowledge and skills during training sessions (and especially afterwards), as well as to test at any time the multiple hacking tools and offensive techniques available, in preparation for their next real-world engagement.
For a list of vulnerable web applications to practice on you can review the following OWASP link (https://owasp.org/www-project-vulnerable-web-applications-directory/). Depending on the type of vulnerable web app you are looking for you just need to select the "Mobile", "Online", Offline", and "Containerized" tabs for a list.
Conclusion
In conclusion, webapp security testing is vital for organizations to implement and for security professionals to learn. It is highly likely that a vast majority of organizations with webapps, a large percentage of them are more than likely are internet facing. Based on studies nearly 98% of internet facing webapps have vulnerabilities that could be exploited by threat actors. It's estimated that an organization will have 30% of their webapps accessible from the internet. By gaining a foundational knowledge of webapp security testing can benefit the security professional by providing intellectual and personal growth, job security, and career advancement. For organizations, it can provide a reduction of risk for cyberattacks, assist in regulation compliance, allow for a more efficient and streamlined CI/CD pipe, and assist in brand reputation.
In this blog post, I provided an brief overview of WAST, including a general breakdown of WAST components, the WAST benefits, testing methods available for webapp security testing, and I covered the OWASP Top 10. I noted some resources that can help anyone interested in webapp security testing gain some foundational knowledge. This included reading material, webapp security testing tools, and vulnerable webapps that can be used for testing.
Thank you for taking the time to read the "Brief Introduction to Web Application Security Testing". If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off,
Pragmat1c_0n3
Comments