Before you start your Web application vulnerability assessment, you need to build a test plan. Building a test plan
starts with establishing your test target. Depending on your assignment, a test target could consist of a range of IP
addresses, a set of Web applications, or a single Web application. If your target is an IP address range, this means
that you have to identify all of the Web properties in the given range first, and then test each of them for security
vulnerabilities.
Once you establish your target, you need to select your test environment. A security test could potentially deface or
destabilize a Web application. Therefore, it is highly recommended that you test a Web application in a pre-production
environment. If you need to test a Web application that is already in production, you must use only tests that are
safe.
Defining the test scope or the types of security tests that you will employ during your assessment depends on your
security test policy, your role, and the scope of your assignment.
You should also take into account any test restrictions. Perhaps you are testing in a production environment and, by
testing certain application functions, you run the risk of crashing the application. It is recommended that you speak
with the application owner and application developers to identify any potential risks and corresponding test
restrictions.
All application stakeholders should agree on the date and time of the vulnerability assessment. This is necessary to
ensure that the test has minimal impact on any of the stakeholders.
Most applications have some sort of a mechanism for identifying and authorizing their users. You will need access
credentials to test an application that requires its users to log in. It is best to create a special account for the
purposes of the test. After the test is completed, you can simply delete the account, which will make "cleaning up" a
lot easier. If the application supports multiple user roles, you may need to obtain an account for each user role.
Conducting a security assessment may involve exploiting vulnerabilities to prove the risks associated with them. Also,
as mentioned previously, security testing may have side effects (for example, crashing the application, inserting garbage data into
the database, and so on). Therefore, it is important to obtain an approval from all stakeholders before you begin testing.
It is recommended to obtain the contact information of key stakeholders who you may need to contact during your
assessment. For example, if the application crashes and you need to reboot the Web or application servers, you will
need to know who to contact.
|