866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Prepare for Your Web Application Penetration Test Blog Feature
JOSH TOMKIEL

By: JOSH TOMKIEL

Print/Save as PDF

How to Prepare for Your Web Application Penetration Test

Penetration Testing

So, you’re investing in cybersecurity and are having a web application penetration test performed. No matter your reasons for doing so—whether you’re satisfying compliance requirements, a customer request, internally assessing your flagship service offering or confirming security policies—this is a great step towards strengthening your defenses.

But now that you’ve decided to move forward, it’s time to dig in and prepare. If you’re not sure where to start or what’s involved, don’t worry. Our very experienced team of penetration testers has performed over 200 assessments in just the last year, those specific to web applications among them. In this article, we’ll reiterate what a web application penetration test is, its objectives, and the information you’ll gain after performing one. We’ll also provide a list of items to prepare for your chosen penetration testers ahead of your assessment.

That way, you’ll be able to streamline your process more easily and reach the end—and the results regarding your vulnerabilities—that much quicker.

What Is a Web Application Penetration Test?

Definition

The simulation of an attack on either an external or internal web application in an attempt to gain access to sensitive data and determine whether the application is secure.

Objective

To identify and exploit vulnerabilities within the application and its components (e.g., source code, database, back-end network) that apply to OWASP Flagship Projects, such as the OWASP Top 10, Application Security Verification Standard (ASVS), and Web Security Testing Guide (WSTG).

How Does It Work?

After performing reconnaissance and identifying flaws in authentication, access controls, database interaction, and application logic, among others, your Pen Test Team will attempt to exploit these vulnerabilities.

**If you’re working with Schellman, our team will also seek to concentrate different vulnerabilities together to chain together more complex and higher severity attacks.

What You’ll Learn

After this essential health check of your web application, you’ll understand:

  • How possible it is for a hacker to access your data from the internet
  • How secure your email servers, web hosting sites, and servers are
  • Whether you need remediation or to implement further security measures.

 An Important Note for Organizations Working with Schellman: We do not perform Distributed Denial of Service (DDoS) attacks to test the availability of a service. While we may discover vulnerabilities that result in likely Denial of Service (DoS) conditions, typically these are verified as much as possible but will not be exploited. Only manually verified findings will be included in our final report, and there will be no false positives.

5 Things to Provide for a Web Application Penetration Test

To facilitate all this, your Pen Test Team will need several things before they can get started with their attempted breach of your web application. Here’s a list of items you’ll need to prepare to either provide or do to ensure smooth sailing through the process:

  1. Two Tenants Within the Application
    Consider this like onboarding two new customers—you’d most likely provide them each their own environment (or tenant) within your application.
    • Why Does Your Pen Test Team Need This? Having access to two test tenants allows us to test for horizontal privilege escalation, which basically means checking to see if customer 1 can somehow get to customer 2’s data when that shouldn’t be possible.
  2. Credentials
    Within each tenant, you’ll also need to provide credentials for both an administrator (or higher-privileged role) and a standard user (or lower-privileged role). At Schellman, we start testing with the highest and lowest level you would provide a client, and—if there are other different privilege roles available—we’ll add more users throughout the process.
    • Why Does Your Pen Test Team Need This? We perform every web application assessment from an authenticated posture. Having two users with different roles allows us to test for vertical privilege escalation methods, which is to say, can a non-admin user access data or features only an admin should be able to use or see?
  3. Lower External Application Security Controls.
    You’ll need to allow traffic through any technical security controls that could impact testing, including any web application firewall (WAF) in place.
    • Why Does Your Pen Test Team Need This? Penetration tests are performed within a designated window, which means the Pen Test Team only has a limited amount of time to get through the work. That time would be better spent identifying as many vulnerabilities as possible so that you gain the most value, and allowing us to more quickly interact directly with the application helps with that. Lowing the WAF will help us—and you—best understand and fix the real issues.
  4. Perform an Application Demo
    This should only take a 30-minute call to go over the main features or use of the application with your Pen Test Team. This call will be recorded and referenced when the actual test begins.
    • Why Does Your Pen Test Team Need This? To efficiently attack the application, we first must understand how it is meant to be used. Understanding your specific business risk is a vital part of all our assessments.
  5. Sample Data
    Populate the application with as much user data as possible. If you’re not sure where to start with this, you might consider leveraging data from a demo environment that you usually use to demonstrate your application to a customer.
    • Why Does Your Pen Test Team Need This? An application prepopulated with sample data allows us to hit the ground running with a better understanding of how important features are used. We’ll still go through the process of creating our own test data, but your provided sample data lets us spend more time focusing on identifying vulnerabilities.

Other Tips for Your Web Application Penetration Test

In addition to these steps and information provided, you should also tell your security operation center (SOC) or internal Blue Team that a web application pen test is scheduled and provide them with any public IP address ranges to be used by the Pen Test Team. (Schellman specifies these in our authorization letter.) They’re not trying to be stealthy or stay undetected—your Pen Test Team is only concerned with highlighting as many manually verified issues and providing actionable feedback within the limited timeframe available.

Taking all these steps should help you make the most of said limited time frame, as will taking some of these. If you’re also considering other penetration tests to evaluate your cybersecurity, check out our other content that will break down some key aspects:

If you find you still have any pressing concerns or questions regarding the intricacies of penetration testing—or if you’re interested in engaging the Schellman team to perform one—contact us today.

About JOSH TOMKIEL

Josh Tomkiel is a Managing Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.