A web application penetration test is an activity designed to gauge how an Internet-based program would behave during an attack or exploit. These tests make use of a variety of software programs to scan an application and then perform different actions that might occur during an actual attack. A web application penetration test can be performed by a development team or a third-party service provider. If an outside provider is used, the development team or information technology (IT) staff will sometimes not be notified of the test by the management. This may allow a web application penetration test to uncover flaws that might have otherwise gone unnoticed, which can allow those issues to be fixed prior to the release of the software.
Web applications are software packages that can be accessed and ran over the Internet. These applications can perform many functions, and in some cases they are responsible for handling data that is considered private or even valuable. In order to avoid compromising attacks, penetration tests are typically performed to locate any weaknesses or easily exploited areas in the code.
Typical web application penetration tests begin with an information gathering phase. The purpose of this step is to determine as much information about the application as possible. By sending requests to the application, and using tools such as scanners and search engines, it is often possible to obtain information such as software version numbers and error messages that are often used to find exploits later on.
After a sufficient amount of information has been accumulated, the next goal of a web application penetration test is to perform a number of different attacks and exploits. In some cases, the information gathered during the first phase will identify exploits the application might be vulnerable to. If no obvious vulnerabilities were detected, then a full range of attacks and exploits can be attempted.
Many different technical vulnerabilities can be located by a web application penetration test. These tests will typically attempt to use methods such as universal resource locator (URL) manipulation, session hijacking and structured query language (SQL) injection to break into an application. There may also be an attempt to initiate a buffer overflow or other similar actions that can cause an application to behave abnormally. If any of these attacks or exploits causes the application to reveal sensitive data to the penetration tester, the flaws are typically reported along with a suggested course of action.