Web application penetration testing strategy

[RRROAR]

Hello! I'm currently applying for a job as a computer security engineer. I have some knowledge in technical details of attacks on web apps and networks which allowed me to pass the first 2.5 hour long interview. Now i'm facing another technical interview tomorrow.

Having passed the 1st one, i asked the interviewer what i'd need to pass the second one, what were my shortcomings. He answered that i have some technical skills, but my knowledge lacks "system" (which is understandable since i'm self educated in infosec). Meaning, i don't know in what sequence the techniques have to be used, what the main stages of penetration testing of a web facing app are, and thus, what the step-by-step plan should be to assess the information security integrity of a web app.

I would highly appreciate it if someone with experience in penetration testing could clarify this mater, the strategic stages of a penetration test of a web facing application. Or, if there are resources detailing this (i failed to find the answer i'm looking for), please feel free to suggest some reading.

Thanks and best regards!

[digininja]

Have you looked at PTES? http://www.pentest-standard.org/index.php/Main_Page

This is a framework we set up to help guide people through what should be involved in a full test.

You talk about going for a security engineer job then mention web apps so I'll assume that is what you will be testing.

If you want the very cut down version:

Use the app, get to know it, don't attack it just click around. Use your eyes and see what is there. Notice if the technology changes or if URL structure alters. Look for distinct sections.

Start manually going through the app based on what you already identified, target sections you feel will be most vulnerable.

If you want to use automated testing then stop manual, start the automated tools and take a break. It isn't a good idea to run automated and manual at the same time as you interfere with each other.

Look at the automated results and go back to manual to confirm those.

Restore system wherever possible removing anything you added

Write report

[j4k3]

Have you looked at PTES? http://www.pentest-standard.org/index.php/Main_Page

This is a framework we set up to help guide people through what should be involved in a full test.

You talk about going for a security engineer job then mention web apps so I'll assume that is what you will be testing.

If you want the very cut down version:

Use the app, get to know it, don't attack it just click around. Use your eyes and see what is there. Notice if the technology changes or if URL structure alters. Look for distinct sections.

Start manually going through the app based on what you already identified, target sections you feel will be most vulnerable.

If you want to use automated testing then stop manual, start the automated tools and take a break. It isn't a good idea to run automated and manual at the same time as you interfere with each other.

Look at the automated results and go back to manual to confirm those.

Restore system wherever possible removing anything you added

Write report

Had that link in my clipboard ready2rock... Then realised I'd been beaten to it.

But, thank you for maintaining that page. It's very handy.

[Xeph]

MDSec has a good checklist in collaboration with the Web Application Hackers Handbook (IMHO, one the best resources for app pen testing out there).

It's located here: http://mdsec.net/wahh/tasks.html

Nice and condensed, and pretty much uniform with most pentest strategies.

[Alok]

Following may help:

Web application Testing Guide (PDF) https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

More Inf here: https://www.owasp.org/index.php/OWASP_Testing_Project#tab=Old_OWASP_Testing_Guides