Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

A Penetration Tester's Guide To Web Applications

Cybersecurity teams constantly need to adapt and protect networks against new vulnerabilities and maintain their security posture. Penetration testing is one way organizations preempt the movements of cybercriminals in the real-world and protect themselves from potential threats.

From user endpoints to web applications, pentesting assesses any area of a network to minimize the risk of a data breach or unauthorized access. This article focuses on penetration testing for web applications, providing a comprehensive guide on everything you need to know.

The Need For Penetration Testing

A penetration test, or pentest, identifies vulnerabilities on a network or across an organization, or by focusing on a single element, such as a web application. This is achieved by simulating authorized and unauthorized hacks in an attempt to access sensitive data. 

By doing so, the pentester identifies any weak points in the web application security and related components. These components include the source code, the database, and the backend architecture. After testers identify vulnerabilities, companies can then develop a strategy to resolve them.

Pentesting is especially important for industries such as finance, banking, e-commerce, and healthcare, which cybercriminals often target. This is because these industries typically store lots of sensitive data, which is used for fraudulent activity. Threat actors commonly focus their attention on web applications which often provide the chance of accessing such data. 

Penetration testing is essential for several reasons, including:

  • To discover unknown vulnerabilities within a web application and its components. Guarding against any unauthorized access and preventing data breaches.

  • To test any components exposed publicly such as DNS, firewalls, and routers.

  • To assess how effective the current security policies are for web and mobile applications.

  • To determine the methods and processes a cybercriminal takes in the future.

How Long Does a Penetration Test Take? 

The scope of a pentest will dictate how long the test takes to complete, usually ranging from one to two weeks. This range can increase when including the planning and remediation phases of the test, which will oftentimes be dependent on outside factors from the pentest service provider.

At Cobalt, being agile and on-demand is a key part of our pentest offering. Schedule a demo today and we can get your testing started right away, oftentimes in as little as 24-hours depending on the scope and granting access credentials.

The Types of Penetration Testing for Web Applications

There are two main types of penetration testing for web applications, which are simulating authenticated and unauthenticated attacks. Both methods are equally important. 

Authenticated Testing

During authenticated web application pentest, a pentester is given credentials to the application that will be tested. However, unauthenticated attacks are still performed. Authenticated web application pentests are necessary to get a full picture of the web application attack surface since it provides a larger attack surface. 

Unauthenticated Penetration Testing

Unauthenticated penetration testing is when the client has not provided the credentials to the application, forcing the pentester to have to break in. If the pentester is unable to break in, they won’t be able to test any functionalities that could require authentication. 

The purpose of unauthenticated penetration testing is to identify vulnerabilities outside of the organization, testing the defenses of a web application hosted on the internet. The pentester has no information about the internal system or its levels of security and is only given the IP address of the target application.

The tester would then simulate an external attack by searching publicly available resources to learn more about the target so they can exploit any external weaknesses. 

Web Application Penetration Testing Methodologies and Processes

Penetration testing methodology usually consists of four key phases:

  1. Reconnaissance - Phase one of the pentest is to carry out recon; in other words collecting usable information such as IP addresses and user profiles that can help simulate a successful attack on a web application.

  2. Network Mapping - Once recon has been carried out and any relevant information has been gathered, the tester begins to map the network topology. To effectively map out a web application the tester must understand how networks are linked and the layers of security that are implemented.

  3. Discovery - With the application mapped out, the tester now has the fundamental base required to begin discovery, identifying vulnerabilities that could present cybercriminals with the opportunity to breach a system.

  4. Exploitation - When all possible vulnerabilities are discovered, the tester develops a strategy to exploit them, choosing the best form of attack for each. This can include attacks such as SQL injections (SQLI) or Cross-site scripting (XSS).

    Read about Cobalt's web application penetration testing methodology.

Web Application Penetration Testing - The Process

The key to penetration testing for web applications is gathering as much information as possible and mapping out their topology to determine any possible points of injection. The process consists of three stages. 

1. Recon - Active and Passive

The initial step is the process of gathering information (recon). This provides the tester with all they need to understand the web application and test it for vulnerabilities. 

Passive recon refers to collecting information that is publicly available on an internet search engine, such as subdomains, previous versions of the web application, and any internal and external links. 

Active recon involves directly engaging with the web application to gain a level of output. 

You’ll need to inspect the source code to assess the web application’s environment. 

Examples of this process include:

  • Retrieving error pages to discover the website’s server and current version.

  • Analyzing HEAD and OPTION requests to learn more about the server software and its version.

  • Locating any links to external sites.

  • Attempting a DNS Zone Transfer by using the nslookup command to identify what DNS servers are used for the web application. This could also be achieved by using a DNS server identification website, then using the dig command.

  • A DNS Forward And Reverse Lookup to discover any recently discovered subdomains and their IP addresses.

  • Use the Nmap network scanner (often referred to as Nmap fingerprinting) to find information regarding the web application’s scripting language, operating system, open ports, services, server software, and version.

  • The Shodan network vulnerability scanning tool can help the tester find additional information that is available publicly, such as its geolocation and open port numbers.

2. Attack Phase

The next stage of security testing is to exploit any discovered vulnerabilities and execute attacks using a range of penetration testing tools. The recon stage can help identify which tools will be relevant for each penetration test. The goal should be to ensure you are protected against all vulnerabilities listed in the OWASP Top 10 is a standard awareness document that provides a general consensus on the most common vulnerabilities to web applications.

Commonly used exploitation tools are Burp Suite for intercepting and modifying web traffic and SQLmap (SQL injection attacks).

3. Reporting

Finally, compile the finding of the test into a report and present the recommendations to the client. Structure the report in a concise manner and support any findings with relevant data. Order the vulnerabilities in terms of their threat level. 


Conducting web app penetration testing is vital to locate unknown vulnerabilities that could be potentially exploited by a cybercriminal, and assess the current layers of security. 

Penetration testing consists of four key stages, recon, network mapping, discovery, and exploitation. Once completed, the findings of the test are then compiled into a report that contains recommendations, enabling the organization to resolve any issues.

New call-to-action

Back to Blog
About Gisela Hinojosa
Gisela Hinojosa is a Senior Security Consultant at Cobalt with over 5 years of experience as a penetration tester. Gisela performs a wide range of penetration tests including, network, web application, mobile application, Internet of Things (IoT), red teaming, phishing and threat modeling with STRIDE. Gisela currently holds the Security+, GMOB, GPEN and GPWAT certifications. More By Gisela Hinojosa
Pentester Spotlight: Furkan Senan; Computer Enthusiast to Lead Tester
From an early age, Furkan Senan was immersed in the world of computers, with a Pentium II CPU and dial-up internet as his constant companion. His insatiable curiosity led him to cybersecurity at the age of 12, where he and his friends explored hacking software. This discovery became a turning point in his life, and he embarked on a journey into the realm of pentesting.
Jun 1, 2023