Penetration Testing for Web Applications
Web Application Penetration Testing with CORE IMPACT Pro allows you to pinpoint exploitable Cross-Site Scripting, SQL Injection, Remote File Inclusion, and other vulnerabilities in your web applications, not only providing visibility into where application weaknesses exist, but also determining how they can open the door to subsequent network-based attacks.
Click the above image to see how CORE IMPACT Pro gives you unmatched visibility into web application security risks.
Web Application Penetration Testing with CORE IMPACT Pro
CORE IMPACT Pro offers the first and only automated methodology for testing the security of web applications and demonstrating the potential consequences of a web-based attack. With IMPACT Pro, you can regularly and safely test web applications against actual data breach attempts, without requiring advanced technical skills. Leveraging the product’s Rapid Penetration Test (RPT) capabilities, you go beyond scanning to identify and interact with at-risk web applications to expose backend data – just as an attacker could.
IMPACT Pro’s web application security testing capabilities enable you to:
- identify weaknesses in web applications, web servers and associated databases
- evade web application firewalls
- dynamically generate exploits that can compromise security weaknesses
- demonstrate the potential consequences of a successful attack
- get information necessary for addressing security issues and preventing data incidents
- schedule tests to run at specific times or planned intervals
IMPACT Pro is the only product to integrate web application penetration testing with network testing and end-user testing. You can therefore confidently assess your organization’s ability to detect, prevent and respond to real-world, multistaged information security threats.
Click on the video to see how CORE IMPACT gives you unmatched visibility into web application security risks.
Conduct Penetration Tests that Address All OWASP Top 10 Web Application Threats
IMPACT Pro is the first-and-only automated, commercial-grade web application penetration testing solution to address the most prevalent information security threats facing organizations today, including all of the OWASP Top Ten web application threats.
SQL Injection - Traditional and Blind (OWASP A1)
Through its vulnerability analysis capabilities, IMPACT safely identifies both traditional and blind SQL injection vulnerabilities and then leverages the results to dynamically create and inject SQL queries in an attempt to retrieve output from the SQL database. Whenever a query successfully accesses the database, a IMPACT SQL Agent is created. Using the SQL Agent, you can then safely replicate the actions of an attacker to demonstrate the potential consequences of an actual breach.
OS Command Injection (OWASP A1)
Building on its existing SQL Injection and Blind SQL Injection capabilities, IMPACT can detect and exploit OS Command Injection weaknesses in web applications. If the application utilizes user-input variables in system-level commands, IMPACT can attempt to change those variables in a way that causes the system to download an IMPACT Agent, giving the security tester control over the system.
Cross-Site Scripting (OWASP A2)
Cross-Site Scripting (XSS) threats take advantage of vulnerabilities in web applications and allow attackers to interact with the browsers of web application users. IMPACT enables you identify and confirm the exploitability of GET- and POST-based XSS vulnerabilities, including:
- URL-based, reflective XSS vulnerabilities
- Persistent (or stored) XSS vulnerabilities
- XSS vulnerabilities in dynamic Adobe Flash objects
Since the window of opportunity for gathering information about systems compromised by XSS attacks can be brief, IMPACT allows testers to queue information gathering modules to run automatically once a system is compromised during a test.
Broken Authentication and Session Management (OWASP A3)
The software’s Web Application Authentication Testing Module attempts to guess application usernames and passwords.
Insecure Direct Object References (OWASP A4)
- Hidden Pages Identification
Web applications sometimes have unlinked administration and configuration pages that are “hidden,” requiring access via explicit URLs. IMPACT checks for hidden pages in addition to crawling websites for pages to be targeted with the solution’s web application exploitation capabilities.
- Backup / Old Pages Identification
As web applications are updated over time, old versions and backups of pages are often left behind on the server. These old pages can contain vulnerabilities or disclose valuable information about the web application. IMPACT Pro crawls for variations of live pages to be targeted with web application tests.
- Retrieve and Follow Robots.txt Files
Robots.txt files contain URLs that the web application owner wishes to be ignored by automated web crawling robots, such as those used by search engines. IMPACT discovers, reads and crawls the contents of Robots.txt files to search for administration pages and other sensitive URLs.
Cross-Site Request Forgery (OWASP A5)
Cross-Site Request Forgery (CSRF) is a potentially devastating attack that is relatively simple to execute against vulnerable applications. CORE IMPACT can both identify CSRF weaknesses in web applications and replicate CSRF attacks to demonstrate exploitability. To fall victim to a CSRF attack, a web user needs only to leave an authenticated session open on the vulnerable application and then visit a website seeded with malicious code or click a phishing email link. The attack can then execute a request against the vulnerable application, enabling the attacker to delete records, change settings, initiate transactions, or manipulate data in other ways.
Security Misconfiguration (OWASP A6)
A truly secure web application depends on having a secure configuration defined for the application, framework, web server, application server, and platform. Only IMPACT’s multi-vector testing capabilities allow you to test not only the web application but also the underlying server and its environment.
Insecure cryptographic storage (OWASP A7)
Upon successfully accessing a SQL database via IMPACT’s SQL Injection or Blind SQL Injection capabilities, testers can leverage the software’s Get Sensitive Data module to identify unencrypted data stored in the database. This module uses pattern recognition to identify credit card numbers, social security numbers and email addresses by default, and users can also define search criteria appropriate for their organizations. Obfuscation capabilities are also available to prevent exposing specific data during testing.
Failure to Restrict URL Access (OWASP A8)
IMPACT Pro determines whether attackers can access admin pages, as well as backup and old pages, via both authenticated and unauthenticated sessions.
Insufficient Transport Layer Protection (OWASP A9)
The software’s SSL Strength Module allows testers to flag weak levels of encryption in HTTPS-secured sites.
Unvalidated redirects and forwards (OWASP A10)
Web applications often redirect and forward users to other pages and sites. Through its web crawling and analysis capabilities, IMPACT can identify applications that redirect and forward without proper validation. Testers can then use IMPACT to demonstrate how an attacker could leverage the vulnerability to redirect victims to malicious sites.
Other Web Application Tests
Remote File Inclusion for PHP
To test web applications against Remote File Inclusion (RFI) attacks on PHP applications, IMPACT Pro dynamically manipulates PHP templates in an attempt to retrieve commands from a remote web server. If successful, the manipulation is recorded as an IMPACT RFI Agent, which allows you to interact with the targeted web application to safely demonstrate the exploitability of the RFI vulnerability and reveal at-risk data.
Local File Inclusion (LFI) PHP applications
IMPACT Pro enables users to test PHP applications against both remote and local file inclusion attacks.
Exploitation of WebDAV configuration weaknesses
IMPACT detects and exploits poorly configured WebDAV implementations. To demonstrate WebDAV configuration weaknesses, IMPACT users can create file on and/or delete files from the web application – replicating an attacker attempting to remove critical elements of the application or replace legitimate content with malicious content.
Go Beyond Scanning to Identify Real Threats and Eliminate False Positives
Mitigating web application vulnerabilities typically requires developers to rework code, so it’s critical for web application security testing to pinpoint actual threats and eliminate false positives. IMPACT Pro both identifies potential vulnerabilities and validates them against dynamically generated exploits. By revealing how and where a data breach could unfold and by exposing at-risk information assets, IMPACT Pro enables you to work with developers to confidently plan remediation efforts and avoid unnecessary code changes for both new and existing applications.
Web Application Vulnerability Scanner Integration
CORE IMPACT Pro integrates with web application scanning tools such as IBM Rational AppScan, HP WebInspect, and NTOSpider to help you filter scan results and identify your most significant points of exposure. By feeding the results of your web application scans directly into IMPACT Pro, you can:
- Prove the exploitability of web application vulnerabilities, with no false positives, to both prioritize and inform remediation efforts to minimize the time and money spent on re-coding efforts.
- Leverage CORE IMPACT’s industry-leading privilege escalation and pivoting capabilities to gain administrative access on web servers and leverage them as beachheads for additional attacks against backend network systems – just as an attacker would.
- Use scan results to identify pages (URLs) to penetration test, in addition to utilizing CORE IMPACT’s own page identification capabilities.
Replicate Attacks that Extend to Backend Network Systems
Web applications don’t exist in a vacuum and are typically networked to other systems. Consequently, a compromised web application can open the door to attacks on other network assets, compounding the damage caused by the initial breach. With the addition of web application testing to its comprehensive network and endpoint security testing capabilities, IMPACT Pro enables you to safely assess your security against attacks that cross all three vectors. For instance, IMPACT Pro can replicate an attack that initially compromises a web server or end-user workstation and then tunnels to backend network systems. Only IMPACT Pro allows you to test information security in the face of such complex attacks.
Successfully Test Custom Web Applications
Most web applications are custom-built, or highly specialized, and are often not developed with security in mind. Because of the level of customization, testing applications for security vulnerabilities requires the creation of unique exploits.
CORE IMPACT Pro goes beyond web application vulnerability scanning by dynamically creating customized exploits on-the-fly. You can then use these exploits to safely replicate data breach attempts against both proprietary and out-of-the-box web apps.
Generate Actionable Data for Efficient and Effective Remediation
Through its reporting capabilities, IMPACT Pro provides security professionals, web developers and database administrators with critical information for identifying security weaknesses, determining possible fixes, and prioritizing remediation efforts. IMPACT Pro maintains audit trails of all web application penetration tests performed, servers and databases accessed, and all actions taken during testing. Like all IMPACT Pro reports, web application test reports can be exported to HTML, PDF and Microsoft Word for further customization and distribution.