Web penetration testing with Perfecto

Warning

Do not try techniques described here on public sites or your customer or client’s websites without approval. It may lead to blocks and potential legal complications.

Software security testing reveals possible vulnerabilities in the system, making sure that data and resources are protected. For a common breakout of software security testing, click here.

Fortunately, with security testing tools available in the market, you can perform vulnerability assessment and penetrating testing for web applications and websites on devices and browsers in Perfecto using both manual and automation testing.

This article provides a quick overview of the penetration testing process and then dives into an end-to-end demo of how you can perform penetration testing with Perfecto in combination with the following tools:

  • Zed Attack Proxy (ZAP): A free, open-source penetration testing tool. It serves as a proxy located between the browser and the web application, intercepting and inspecting messages before they reach their destination.

  • Burp Suite: A platform for vulnerability scanning, penetration testing, and web app security. It servers as a proxy located between the target web application and the web server, intercepting ongoing HTTP requests before they reach their destination.

Both tools make it possible to pause the traffic and manipulate the intercepted items, if needed, before forwarding them to their destination.

For a comparison of Burp Suite and ZAP, click here.

Vulnerabilities according to OWASP

In this article, we refer to the Open Web Application Security Project® (OWASP), a foundation that works to improve the security of software. It also maintains ZAP.

OWASP periodically reviews the top security risks of web applications and lists the top 10 risks that developers and web security experts should be aware of. According to their website, this list represents a broad consensus about the most critical security risks to web applications.

Pen testing process

Penetration testing often combines manual and automated testing methods to test servers, networks, devices, and endpoints. The process commonly involves 3 stages in which you first explore the system, then attack the system using known or suspected vulnerabilities, and, last, report test results. For more information about the stages of pen testing, click here.

Penetration testing aims at searching for, revealing, and fixing vulnerabilities. It can also verify if a system is not vulnerable to a specific defect. When vulnerabilities reported earlier are supposedly fixed, the system gets retested to verify that the issues are truly resolved.

Most web penetration tests are performed manually. Many teams outsource this kind of testing to third-party services. When done, it is usually not part of the cycle, and often, it is not executed as frequently as it should be. This leaves the risk of escaped defects.

A security degradation or outage impacts user experiences and creates significant business issues. Shifting security testing to the left to perform it earlier in the DevOps cycle is therefore a best practice. This way, it is possible to collaborate on requirements, test for code vulnerabilities within existing CI/CD pipelines, and also implement other security practices in software development.

Fortunately, with Perfecto, web penetration testing is a seamless and free add-on to existing test automation cycles, for web apps on devices and in desktop browsers. Every regression test or smoke run proves functionality and checks how apps are vulnerable to hackers.

ZAP and Burp Suite are just two examples of tools that automate the task of scanning websites for content and vulnerabilities.

The process includes the following:

  • Web spider: Searches for new resources (URLs) on a website. The task begins with a list of URLs to visit, called seeds. The spider then visits these URLs, identifies all hyperlinks on the page, and adds them to the list of URLs to visit. This is a constant process that continues until new resources get identified.

    For more comprehensive information and additional definitions, see here.

  • Scanning: When the spider has identified all links on the page, the scanner attempts to find potential vulnerabilities by using known attacks. Different types of scanning are used for different purposes. Active scanning searches for vulnerabilities by using known attacks against the system or application. Passive scanning scans all HTTP messages (requests and responses) sent to the web application under test. The requests or responses are not hampered by passive scanning, making it safe to use.

    Note

    Perform an active scan only if you have permission to test the application.

Pen testing prerequisites

Sample application

This exercise uses a sample application called WebGoat. WebGoat is a deliberately insecure web application maintained by OWASP and designed to teach lessons about web application security. The app is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

Warning

While running this program, your machine will be extremely vulnerable to attack. You should kill the running server immediately after test completion.

To install WebGoat:

  1. Download the latest WebGoat version from here.

  2. Run the download .jar file with the following command:

    Copy
    Java -jar <<xxxx.jar>>
  3. (Optional) By default, it binds to localhost and 8080 port. To change the server address and port number before running the standalone .jar file.

    Copy
    Mac/UNIX
    export WEBGOAT_HOST=xx.xx.xx.xx
    export WEBGOAT_PORT=9000
    Copy
    Windows
    set WEBGOAT_HOST=xx.xx.xx.xx
    set WEBGOAT_PORT=9000
  4. Access the application using any of the following URLs:

    • http://192.xx.xx.xx:9000/WebGoat/login

    • http://localhost:9000/WebGoat/login

Perfecto Connect

Perfecto Connect opens a direct connection between devices and browsers in the Perfecto lab and the local network where security testing tools (ZAP or Burp Suite) get installed. You need to generate a tunnelID with your machine's IP address and port to which the respective security testing tool is listening.

For example:

Copy
perfectoconnect start -c <<cloudname>>.perfectomobile.com -s <<SecurityToken>> --bridgeproxyip=<<XXX.XXX.XX.XXX>> --bridgeproxyport=8084 -fd

For details, seePerfecto Connect.

Pen testing steps

This section walks you through the testing steps. Click a pen testing tool to view the relevant steps.