In the context of web application security, penetration testing is commonly used to augment a Web Application Firewall (WAF).Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities.The pen testing process can be broken down into five stages.Web Application Penetration Testing Five Stages of Penetration Testing1.
Planning and reconnaissanceDefining the scope and goals of a test, including the systems to be addressed and the testing methods to be used.Gathering intelligence (e.g., network and domain names, mail server) to better understand how a target works and its potential vulnerabilities.2.
ScanningThe next step is to understand how the target application will respond to various intrusion attempts.
This is typically done using:Static analysis – Inspecting an application’s code to estimate the way it behaves while running.
These tools can scan the entirety of the code in a single pass.Dynamic analysis – Inspecting an application’s code in a running state.
Gaining AccessThis stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities.