Web application penetration testing routine

Abstract

Modern web applications provide people a vast amount of services and complex function-ality. More and more daily services are digitized. Digitalization is constantly accelerating.This means that the pressure for quality software is high. Producing functional softwareitself is fairly complex and developers usually focus only on functional quality, in otherwords, functional requirements.The security audition process is somewhat more complex. While functional quality isfairly easy to ensure, validating software security is much harder.Hackingis the act ofusing something in some other ways than it is designed. How can one ensure that softwarecannot be used in some unwanted way?Penetration testing is a black-box testing process of trying to exploit software vulnerabil-ities that relies on planning and professionalism. Penetration testers, or pentesters, act asroque hackers trying to find vulnerabilities and exploiting them. Found vulnerabilities arethen reported to the owner of software and patched before actual hackers manage to dothat.In this thesis we will describe a penetration testing routine for investigating and reportingmodern web application vulnerabilities. We also discuss the role of the penetrationtesting as a part of modern software development. We then demonstrate the routine byperforming a test scenario against a production web application and discuss the results.As a result we propose a checklist type approach for conducting a penetration testing formodern web applications.