Penetration Testing of Web Applications.

Today we are going to discuss about the importance and needs of Penetration Testing for Web Applications.

We have already discussed in our previous Blog about Penetration Testing, Types of Penetration Testing, Role and Responsibilities of Penetration Tester, Advantage, and Disadvantage.

This is the link of the Penetration Testing Blog,



Importance and need of Pen Testing

  • Identifying unknown vulnerabilities.
  • Checking up the efficiency and effectiveness of the overall security policies.
  • Checking the security components such as firewalls, routers, and DNS.
  • Identifying vulnerable route through which attack can be possible.
  • Identifying the loopholes through which privilege data can be stolen easily.

If we are looking  for the current market, the usage of mobile phone and tablet’s is rapidly increasing that lead to be a major potential of attack. Accessing the website through mobile phone and tablet can lead toward losing the important privilege and credentials.

Penetration Testing thus becomes very important in ensuring the vulnerabilities.

We need to build a secure system which can be used by users without any worries of cyber-attacks like hacking or data loss.

Penetration Testing Methodology for Web Applications

The set of security guidelines of how to conduct testing is known as methodology.

There are some well-known and well-established methodologies and standards uses for testing the web applications.

But every web application demands different types of test to be performed, the tester is managing their own methodologies on the bases of different standard available in the testing market

Some of the Security Testing Methodologies and standards are

  • OWASP (Open Web Application Security Project)
  • OSSTMM (Open Source Security Testing Methodology Manual)
  • PTF (Penetration Testing Framework)
  • ISSAF (Information Systems Security Assessment Framework)
  • PCI DSS (Payment Card Industry Data Security Standard)

Test Scenarios

Scenarios which can be tested as part of Web Application Penetration Testing (WAPT)

  • Cross Site Scripting
  • SQL Injection
  • Broken authentication and session management
  • File Upload flaws
  • Caching Servers Attacks
  • Security Misconfigurations
  • Cross Site Request Forgery
  • Password Cracking

Testers will not blindly follow their test methodology by the reference of the above conventional standards.

Here’s an example to prove why I am saying so.

Consider you are doing the pen testing of an eCommerce website, using conventional methodology of OWASP like XSS, SQL injection, Etc. All vulnerabilities of an eCommerce website can be identified???

The Answer is no, because eCommerce website works on different platform and technology if we compare it with other websites. For effective pen testing of eCommerce website the pen tester should design his own methodology for testing different technology involving flaws like Order Management, Coupon and Reward Management, Payment Gateway Integration and Content Management System Integration.

So, before beginning pen testing, the tester has to identify which kind of test and methodology is to be used for a different website.

1 thought on “Penetration Testing of Web Applications.”

  1. Hey
    Another great post with lots of valuable information to take note of. Most of the things you mention I am now doing but there are a couple of things for me to implement. Thanks for sharing.

Leave a Comment

Your email address will not be published. Required fields are marked *

5 × 3 =