Drag

Application Penetration Testing

The recent growth of APIs has introduced a number of new security challenges.
Download the 2025 CISO’s guide
to application pentesting.
Download

JUMP TO

What is an Application Penetration Test?

An application penetration test, or “pentest”, is a security assessment to determine if an application can be compromised, subverted, or poses risk to the business. It is both a highly technical and creative exercise to identify vulnerabilities in business logic and functionality.

A pentest is designed to assess application security from a number of lenses. Some are passive, where the assessor simply looks at application responses for sensitive data. Others

While some of the tasks performed during a pentest are universal checks, the most important test cases are often unique and subjective to both the business and application.

Application Pentest Engagement Process

01

Scope

02

Assess

03

Report

04

Retest

When engaging a pentest company, application pentests are a relatively hands-off process. Meaning that once a tester has access to the application, they can perform all work necessary to complete the assessment on their own.

There are cases, however, where some explanations and demonstrations are needed to make meaningful use of the application. After all, to truly attack an application, someone must understand how it’s used first.

Once the assessment is completed, a report is delivered containing the vulnerabilities identified along with best practices for remediation.

Webinar: Building Burp Extensions with Kotlin.

Building Burp extensions quickly is vital to deliver comprehensive pentests without limitations by tools.

Learn More

Application Pentest Scope

  • Scoping an application pentest is vital to the success of the assessment. This process used to understand the following key items:

    • Size and complexity of the application.
    • Business purpose and how the application is used.
    • The model of users and what type of access exists to those users.
    • A high level understanding business purpose and technology.

    These factors are used by the testing team to determine how much time is needed for a pentest. But more importantly, it also allows us to make special considerations for how we perform the pentest.

    Black Box vs Gray Box vs White Box

    Application Pentest engagements can typically be categorized by one of three types of scope.

    Although the vast majority of engagements fall into the gray box category, there are always circumstances where more or less depth is appropriate.

    Black Box vs Gray Box vs White Box Pentesting Read More

Automated vs. Manual Pentesting Testing

  • Pentesting always requires tools, but there is a very important relationship between automation and manual efforts.

    Automation can be incredibly valuable for identifying “low hanging fruit” across a large application. For example, a fully automated scan is likely the best way to identify many tricial instances of XSS in a large application.

    On the other hand, a scan is likely to miss nearly all business logic vulnerabilities, including those that allow privilege escalation.

Pentesting Tools

  • All pentesters require tools of some kind, in fact, tools are a vital part of pentesting. But the relationship is very similar to that of a surgeon and a scalpel.

    While effective tools are a great aide, they are never a replacement for the skills needed to execute a successful test.

Performing an Application Pentest

A pentest is typically guided by a methodology, which outlines the types of vulnerabilities tested for as well as an approach for common application features.

A pentest methodology is like a checklist for an airline pilot. They are useful for conducting a successful test, but still no replacement for years of skill and experience.

Authentication

Often referred to as “the front door”, authentication systems determine who can access an application. Testing this functionality attempts to find weaknesses such as the following:

  • Username enumeration
  • Password policy strength
  • Account lockouts

Session Management

Most modern applications use sessions to track authenticated users. These may use a variety of designs, including cookies, tokens, or parameters, which each have a variety of testing methods.

  • Predictable Session Tokens
  • Session Fixation
  • Session Termination
  • Insecure Session Data Storage

Information Disclosure

Applications often disclose unnecessary and sensitive information. Forgotten backup files, code comments, and improperly designed API responses are just a few of the many ways applications unintentionally expose sensitive data.

Knowing where to look is just as important as knowing how to extract such information. While application errors are frequent culprits of information disclosure, application pentests use many methods to reveal sensitive information.

Input Validation

It’s not uncommon for an application to have hundreds of thousands of both inputs and outputs. Parameters are the toggles that steer the application into its expected states, but they can also be easily misused.

Since nearly all applications interact with a database, an improperly formatted parameter can have severe consequences. Failing to sanitize even a single user-controlled parameter can allow database queries to be altered maliciously.

Full Guide to input validation Read More

Access Controls

Attempting to bypass access controls is one of the main overarching goals for any application pentest. This phase overlaps many others, as a pentester can gain unauthorized access in many ways.

  • Vertical privilege escalation
  • Horizontal privilege escalation
  • Cross-tenant boundaries

Business Logic

  • A shopping cart application where a customer changes a quantity to.
  • An online bank where a customer transfers a negative dollar amount.

  • Pentest Reports

    The final product of an application pentest is also one of the most overlooked. Pentest reports should clearly show the vulnerabilities identified along with steps to reproduce and remediate the issue.

  • Risk Ratings

    Pentest risk ratings are a hot topic among enterprise security teams. They can easily become the focal point of tension between teams who must decide what vulnerabilities are remediated and when.

Application Pentest FAQ

  • How much does a pentest cost?

    Pricing for an application pentest is highly dependent on size and scope. Key factors such as the number of workflows, number of user roles, and technologies in use can affect pentest pricing.

  • How long does a pentest take?

    Pentest duration depends on size and complexity; however, most pentests are time-boxed engagements that last between one and three weeks.