Application Penetration Testing: What Is It, and How Does It Work?

In our exploit development article, we covered testing approaches, which also apply to application pen testing. We’ve also provided an overview of white box, black box, and gray box penetration testing. In white box penetration testing, the attackers have full access to the tested systems including documentation and source code. In black box testing, the attackers do not have any technical knowledge about the targeted system other than the target name for example. And gray box testing assumes a combination of the two where the attackers have some technical knowledge of the targeted system but likely no source code.

White box testing would of course provide the most thorough review and resulting information, but is the most time consuming and hence most expensive – while black box testing is the closest method to reality. That said, a number of security teams can be formed to participate in these tests including the Red Team, who is tasked with deploying an attack akin to that of a cybercriminal targeting the organization in question, and the Blue Team, who is on the defensive side of the Red Team’s attack, and aims to detect and stop any outside threats. 

That said, pen testing operations between these two teams can be run as a double-blind test, meaning the Blue Team is uninformed about the Red Team’s incoming attack. This scenario is most realistic and gives an organization more valuable feedback on the results of the real cyber attack and what can be done about it.

Typically there are several stages to penetration testing and this is no different when it comes to application pen testing. The most common app pen testing stages include: 

Stage 1: Planning and Threat Modeling – In this initial step, cyber attack scenarios are prepared and possible threats are outlined.

Stage 2: Information Gathering – Often this can be the first step in penetration testing models, but can also often come after the threat modeling stage. The information can be gathered actively (ie. the one gathering information sends requests directly to the target and then interprets the information being sent back) or passively (ie. in the information is collected without contacting the target). A hybrid of the two approaches can also be used.

Stage 3: Vulnerability Assessment/Testing – In this step, scanning tools are used to pinpoint any known security vulnerabilities and misconfigurations.

Stage 4: Exploit Development – Here, pen testers start to manually exploit any findings from stage #3. 

Stage 5: Produce Remediation Guidelines – At this point, it’s time to make the findings in the previous steps usable for team members of the organization. This includes security executives, software developers and others. The goal is to develop instructions for vulnerability remediation. 

Stage 6: Utilize the Testing Results – In this step, the remediation guidelines can be put to the test and remediation guidelines are reviewed and ensured to be implemented within the organizational security structure.

There are a number of tools online that can be used to learn more about how application penetration testing works. However with the ever-evolving cyber threat landscape we encourage you to reach out to our cybersecurity professionals at halborn@protonmail.com if you want to learn more about how application penetration testing can help you secure your organization’s assets.