Web Penetration Testing
Web Penetration Testing: What It Is
Web Penetration Testing is as the name suggestions, a penetration test that focuses solely on a web application rather than a network or company. The underlying concept and objectives for discovering security weakness and strengthening defense mechanisms are the same. In fact, a lot of the same tools and attack vectors are leveraged during the engagement. The key distinction is found in the methodology that web penetration testers use to footprint or map out a web applications functionality and then interrogate entry points (usually user supplied input fields).
Automated tools are absolutely necessary for this type of assessment however a detailed understanding of web-based client/server interaction is required to properly use most of the tools available.
Web Penetration Testing: What It Is Not
You may have heard someone refer to a Source Code Review as Web Penetration Testing. These two types of assessments, although security-driven, are very different and should not be lumped together. A source code review focuses on finding security weaknesses and best practice deficiencies directly at the source code layer. This type of engagement is typically performed on a pre-release timeframe. While web penetration testing targets a live application post-release.
Recommended Reading
We highly recommend you purchase The Web Application Hacker’s Handbook. This book covers every aspect of Burp Suite in much greater detail than this tutorial and should be considered an absolute MUST READ for any professional that is serious about Web Penetration Testing and ethical hacking.
As a reminder, Pentest Geek will receive a small commission if you purchase any of these titles by following the affiliate links on this page. Some additional titles you might consider include but are definitely not limited to:
Web Penetration Testing: Tools
Below are just a few of the tools commonly leveraged during a web penetration testing engagement.
Name | Additional Information |
---|---|
Burp Suite | https://www.pentestgeek.com/what-is-burpsuite |
Samurai WTF | http://samurai.inguardians.com/ |
Zed Attack Proxy | https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project |
Nikto2 | https://cirt.net/Nikto2 |
Web Penetration Testing: Related Content
Below are some of Pentest Geek’s articles which feature Web Penetration Testing and are intended for educational purposes. If you desire a more complete understanding you might enjoy purchasing the Web Application hackers Handbook.
- Burp Suite Tutorial – Web Penetration Testing (Part 1) – An introduction to web application penetration testing with Burp Suite. Discusses initial configuration and a basic overview of web testing methodology.
- How To Use Burpsuite – Web Penetration Testing (Part 2) – Expanding on the previous tutorial and offering deeper insight into some of the more advanced features and functionality. Targeted for slightly more advanced users.
- Stealing The Keys To The Kingdom Through SQL Injection – A demonstration of the powerful SQL Injection attack leveraged during a web penetration testing engagement.
Leave a Reply
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless
thanks :)