Question

Imagine that you are the Information Security Officer (ISO) of your organization. Develop a plan to conduct a Web application penetration test on your network. Identify and explain all steps necessary to successfully complete the test.

Answer 1

Q Imagine that you are the Information Security Officer (ISO) of your organization. Develop a plan to conduct a Web application penetration test on your network. Identify and explain all steps necessary to successfully complete the test.

Ans: Before knowing the plan to conduct a web application for the penetration test , first let's know little about the penetration testing.Penetration testing is basically security exercise in that the cyber-security expert make an effort to find out the vulnerabilities and also exploit that vulnerabilities from the computer system. The purpose of this testing is to find out any weak spots in the system's from where the attacker can take the advantage.It is also called the pen test.Some of the types of the penetration testing(pen test) are as follows:

• Open-box pen test.
• Closed-box pen test.
• External pen test .
• Covert pen test.
• Internal pen test .

After the test is completed than the WAF ( web application firewall) configurations an update to secure against the week spots that are discovered in the pen test.

Now let's see the steps and the plan that should develop  to conduct a Web application penetration test. The plan for the pen test is basically we define the scope and what the security measure that we taken that protect the system from the vulnerabilities.And the contest of the pen testing in the web application it is called the  web application firewall (WAF).

The following steps are involved in the penetration test. That are as follows:

1) Planning and investigation:This is the first step in the pen testing where the planning and the investigation are done.In this step we develop the plan and the  goals of a test , in this the system are addressed and the testing methods are used.In this step we also gather the intelligence to understand how the target basically work and the potential vulnerabilities.

2) Scanning : This is the second stage in the pen test in which we basically understand  how the target application will respond in the intrusion attempts.This is done by two methods:

a)Static analysis: This basically inspect the application’s code that how it behave while running.This scan the entire code in the single scan.

b) Dynamic analysis :This inspect the code while the  application’s code are in the running state.This provide the real time application of the system performance and this is more practical than the scanning.

3) Gaining Access: In this stage it basically uses the web application attacks, like the SQL injection ,backdoors and  cross-site scripting.And the tester try to find and exploit the vulnerabilities and also fine the causes of the damage.

4) Maintaining access: Basically the goal of this step is to see the vulnerability that can cause or exploit the system

5) Analysis : This is the last stage in which we find out the result of the penetration test that can be defined in the following points:

• It specifies the vulnerabilities from where it can be exploited.
• It will find out the sensitive data that was basically accessed.
• It also find the amount of the time that the pen tester was able the  system basically undetected.

This all the information are analyzed by the security personnel that help to configure an enterprise’s web application firewall (WAP's) setting and the security solution for the application and also protect against future attacks.

THANKS , i think this will give you a better intuition about your question if you have any doubt feel free to ask in the comment section.