Hacker using laptop showing penetration test and attack surface

The Anatomy of a Comprehensive Penetration Test

When it comes to web applications, there is no substitute for a thorough penetration test. Security can be overlooked when developers focus on creating as many features as possible for their users, but that lack of security can cost an organization dearly in the long run due to potential data breaches and other malicious attacks.

Web application attacks are becoming increasingly popular. Kaspersky’s Incident Response Analytics Report shows 53.6% of cyberattacks in 2021 started with the exploitation of a web application vulnerability. That figure rose to 70% in the 2022 edition of Verizon’s Data Breach Investigations Report.

Some organizations turn to automated tools for a quick perimeter assessment and vulnerability discovery, but those tools don’t use sophisticated methods and allow many vulnerabilities to slip through the cracks. Comprehensive penetration tests offer better visibility of an organization’s attack surface and inform approaches that introduce more security in application development.

As an experienced pentester, I’ve come to understand just how much value these tests offer. Results shouldn’t just show a client where the open doors are; they should offer instructions on how to close and lock them.

Pentesters think like attackers…but certainly don’t act like them. Tests can unveil what an attacker’s blueprint might look like — how they can leverage the current landscape to their advantage. But what does a comprehensive test actually look like? Let’s break down key components and why they matter.

Identification of common vulnerabilities

It’s important to understand the risks of common practices and the vulnerabilities they create. Cross-site scripting (XSS), for example, is a common attack type that has been around for years and still plagues many web applications today. Developers may consider XSS to be low-risk, and therefore don’t defend against it, but XSS can lead to serious consequences like account takeovers or data theft.

Homegrown authentication is another common weak spot in many web applications. While there are some mature and secure protocols available, developers often attempt to build their own, which almost always opens up new attack vectors. Security Assertion Markup Language (SAML) is one such protocol that has been gaining traction as of late, but if it’s implemented incorrectly the system can still be vulnerable to attack.

Attackers have leveraged XSS and bypassed feeble authentication to forge their way into applications for years. Finding these open doors is one of the most valuable aspects of conducting a comprehensive penetration test.

Inventory of assets and advice to secure them

For organizations to gain the most from their penetration test, certain facets must be included in the report. Each finding should have a clear explanation of both risk and remediation so that teams can easily understand what needs to be fixed and how to fix it.

The goal of a penetration test should be to deliver a blueprint for achieving an improved security posture so these organizations can be set up for success. This means including best practices for fixing any issues where specific implementation details are not known by the pentester. It doesn’t stop with just a list of diagnoses for vulnerabilities.

A complete inventory of all assets should also be included, with detail on the asset type, IP address, and geolocation information. This will provide visibility into how large an organization’s attack surface is and allow teams to understand which issues should take priority when multiple are found.

Comprehensive discovery

No asset or resource should be considered “out of scope” when conducting a penetration test. This includes not only the web application itself, but also any external resources that it relies on, including API servers and third-party integrations.

Developers may claim that since they didn’t create those resources they shouldn’t be on the hook to secure them, but the organization still needs to be accountable because it is using them. Only focusing on how to enable functionality and not considering whether those features are secure makes an organization an easy target.

Pentesters have to play the role of devil’s advocate. Attackers feast on the resources that many organizations claim are “out of scope.” Enabling that mentality only makes an organization weaker and gives an attacker resources to leverage so they can gain access.

Organizations often underestimate how vulnerable their applications can be. Most know that it’s a problem — a recent study by Trend Micro shows 73% of organizations worry their attack surface is growing and 43% believe it is “spiraling out of control” — but don’t know how to control it.

That’s where a comprehensive penetration test comes in to provide a much-needed wake up call.

These insights can help an organization understand the true risk each vulnerability poses and inform better security protocols going forward. A comprehensive penetration test also offers visibility into blind spots within the application’s attack surface, giving teams a chance to plan ahead and keep attackers from succeeding.