Savvior’s Guide to Web Penetration Testing


Web penetration testing is an ethical hacking service in which a vendor attempts to break into an existing website project or web services architecture to uncover vulnerabilities in its code. Any vulnerabilities that are found must then be remediated prior to publishing the website. Most companies employ penetration testing to help create a web application firewall (WAF) in order to prevent future cyber attacks. According to a 2018 Global Security Report from Trustwave, the average web application contains 11 security vulnerabilities. Because of this, web penetration testing is crucial for ensuring that black hat hackers can’t break into systems and exploit private information for financial gain.  

Penetration testing can be performed against various types of codes and systems using

applications such as APIs and servers. Best practices indicate that you should

have your entire web infrastructure tested at least once per quarter.

There are five stages in every Pen Test. Savvior’s IT consulting experts in Pittsburgh will give you a quick breakdown on each of these five steps. 

1. Planning and data gathering

man planning

First, you need to define your goals for the penetration testing. Which systems will you be testing? What methods will you need to use? What is the overall scope of the test? Once you have finished answering these questions, your hacker will then need to gather information on your attack target. This might include its network and domain names, IP addresses, mail servers, network topology or information on its mail server. A non-disclosure agreement is usually signed between the parties conducting the test before the process can officially begin. 

2. Scanning 

eyeglass scanning

Once you are finished defining your goals and gathering information on your attack target, you will need to learn how the intended target will respond to different intrusion attempts. People typically do this using tools such as a vulnerability scanner or DAST. They will then perform a static analysis or a dynamic analysis. In a static analysis, the target’s entire code is scanned in a single pass by either a YTool or an expert application vulnerability analyst to predict how it may behave while running. A dynamic analysis is considered more practical, as it inspects the application’s code while it is already running. With this method, inspectors are given a real-time view into their application’s performance. This stage usually takes the longest for the hacker, as he will need to find all of the vulnerabilities he can before completing the actual test. The overall goal with this step is to identify as many vulnerabilities in the target system as possible before then exploiting them. 

3. Gaining access

cyber security

Once all of the vulnerabilities are identified, the actual attack on the target can be staged. Hackers will usually use Cross-Site Scripting, SQL Injection, or backdoors to initiate these attacks and expose the vulnerabilities they previously found in the target’s system, firewall, secured zone, or server. They will then attempt to steal data or increase sharing permissions in the target in order to see how much damage they can do. 

However, it is important to note that not all vulnerabilities found will be explored completely in this stage. Only the ones that are exploitable enough to provide access to the target will be used. 

4. Maintaining access

key on enter button

The hacker must then see whether or not he can remain in the system. If he can maintain a persistent presence within it, then he can gain enough sensitive information over a period of time before exploiting it. The hacker must also make sure that he can still access the system even after it is rebooted, rest, or modified. 

This method is employed to imitate advanced persistent threats, which function by remaining in a system for months before stealing a company’s private data. During this stage, hackers can also gain data, compromise the system, and launch attacks. 

5. Covering tracks

The attacker must take care to remain undetected. Any changes he made to the system must be returned to a normal state that will not raise any red flags. 

Final Notes and Conclusion 

After testing is complete, the results are then compiled into a detailed report that includes the vulnerabilities exploited by the hacker, whatever sensitive data he was able to access, and how much time he spent in the system undetected. Once the executive management receives this report, they will need to decide how they want to address these security risks and vulnerabilities.  

Comprehensive testing is critical for keeping your business safe and secure. Savvior understands the risks associated with failing to explore your company’s security vulnerabilities. For more information on how Savvior can help your business remain protected from hackers, contact our team of IT consulting experts in Pittsburgh for a quote today.