A web
application is any application that uses a web browser as a client. This can be
a simple message board or a very complex spreadsheet. Web applications are popular
based on ease of access to services and centralized management of a system used
by multiple parties. Requirements for accessing a web application can follow industry
web browser client standards simplifying expectations from both the service
providers as well as the hosts accessing the application.
Web
applications are the most widely used type of applications within any organization.
They are the standard for most Internet-based applications. If you look at
smartphones and tablets, you will find that most applications on these devices are
also web applications. This has created a new and large target-rich surface for
security professionals as well as attackers exploiting those systems.
Penetration
Testing web applications can vary in scope since there is a vast number of
system types and business use cases for web application services. The core web application
tiers which are hosting servers, accessing devices, and data depository should
be tested along with communication between the tiers during a web application
Penetration Testing exercise.
An example
for developing a scope for a web application Penetration Test is testing a
Linux server hosting applications for mobile devices.
The scope of
work at a minimum should include:
Evaluating the Linux server include:
operating system
- network configuration
- applications hosted from the server
- how systems and users authenticate
- client devices accessing the server and communication between all three tiers
- Additional areas of evaluation that could be included in the scope of work are how devices are obtained by employees
- how devices are used outside of accessing the application, the surrounding network(s)
- maintenance of the systems,
- and the users of the systems
No comments:
Post a Comment