Edgescan has varying levels of rigour dependent on the type of testing that takes place, all levels align to best practices and industry standards.
Version Number: v1.0.0
Published Date: 26 March 2025
____________________________________________________________________________
Manual Penetration Testing – Methodology & Approach
An Edgescan advanced licence provides for a level of testing that is equivalent to a manual penetration test. This licence includes the same testing that is applied to foundation licences but also the additional expected rigour of a full manual penetration test.
Our fullstack approach covers both network and application layer where applicable.
Approach – Application Layer Testing
Edgescan has developed an application testing methodology based on OWASP best practice which has proven effective in identifying areas within web applications that are most vulnerable to attack.
The methodology initiates each assessment from different threat perspectives to determine the extent that sensitive information or unauthorised access can be gained.
Our testing approach combines automated and manual techniques to perform the security testing of both the application and supporting application server (underlying hosting infrastructure). While scanning tools provide a solid foundation for vulnerability detection, they have several weaknesses which we address via manual testing and inspection, which is core to our service. Our testing approach progresses through three distinct phases. Our penetration testing methodology is aligned with CREST (https://www.crest-approved.org/) and we are a CREST accredited penetration testing provider.
Phase 1: Application Recon
The first step in the Edgescan methodology is to ‘spider’ or ‘crawl’ the application to map out the relevant functions.
This step helps identify the applications attack surface.
Phase 2: Fault injection and scanning
Edgescan employs a variety of tools for web application and API scanning, based on leading industry practice. A combination of proprietary, best of breed commercial and open-source tools are employed. Existing and new tools are constantly being tested by our ‘scanner’ security team to ensure that adequate coverage of systems is ensured during testing, in addition to accuracy and identification of vulnerabilities present in target systems.
Phase 3: Manual penetration testing
The results obtained in previous phases, combined with Edgescan’s web and API application security testing experience, are used in the manual assessment of application vulnerabilities. Testing is delivered using a qualified penetration testing consultant and this phase attempts to identify vulnerabilities that could be exploited to:
- bypass authentication or authorization controls
- identify an individual by circumventing privacy controls
- bypass validations or manipulate application business logic
- obtain unauthorised access to the application, the database and the underlying operating system
Testing included, but was not limited to using the following techniques:
- Business Logic weakness manipulation: Attempts to “fool” the application or break workflow logic in order to examine the potential to bypass business or logical controls.
- Authentication: Verifying the robustness of authentication mechanisms using techniques such as ‘brute forcing’ (attacks that involve trying large number of possible values until the correct value is discovered, this is at customer request only. Our default test is to ascertain if there are protective controls in place) and ‘sniffing’ (capturing and analysing network traffic).
- Parameter manipulation: The ability to alter parameters passed to the server in the HTTP POST and GET requests in order to bypass authorisation controls or other validation controls.
- Vertical and horizontal privilege escalation: The ability to hijack the rights of a fellow user, and the ability to escalate these privileges to gain unauthorised access to administrative areas.
- Injection Attacks: The ability to construct and submit payloads that will be run on the backend systems and gain unauthorised access to data or unsanctioned privileges on an underlying database or operating system.
- Directory traversal: The ability to navigate to server directories that the user should not be authorised to access.
- Web server permissions: The ability to make unsanctioned uploads or changes to application content or access the directory structure in an unauthorised manner.
- Cookie Poisoning and Spoofing: Cookies are typically used to pass session variables, including the authentication of a user. By manipulating unencrypted cookies, it may be possible to modify them to gain escalated user privileges.
- Session Management: Analyse session cookies to determine whether they can be predicted and used to gain unauthorised access to applications.
- Cross-site scripting: The ability to inject malicious script characters into the website content that may be used for ‘phishing’ attacks or general defacement.
- Direct Object access Forceful Browsing: Attempting to gain unauthorised access to parts of the online retail application by directly accessing URLs.
- Overflow: An overflow is the process of diverting the function of a particular program by placing a malicious piece of code in memory that is executed on the server. Attempt to identify parameters in the application that cannot handle large input streams that may create an overflow condition.
Approach – Network Layer Testing
Edgescan’s experience and knowledge of the latest exploits, common system weaknesses and hacking techniques are used to attempt to exploit potential exposures and uncover any areas of security weakness in target hosts. The testing is divided into two distinct phases:
Phase 1: IP Scan
Edgescan has developed a sophisticated and effective programme to test the security surrounding Internet-connected systems. This includes controlled penetration tests that are used to attempt to gain access to Internet-connected systems and ultimately pivot to adjacent or internal networks from the Internet, if applicable. The following aspects of the methodology were used:
- Server identification – allowing the identification of platforms, operating systems, and applications.
- Service scan – a method to determine which service ports are present and listening for transactions. Traffic from application programs and operating system instructions are transmitted over these ports
- Information retrieval – attempting to identify active ports and extract information from the target system, including banners or other key information.
- Vulnerability scan – use of commercial and proprietary tools against computer addresses, vulnerabilities, and protocols.
As stated earlier, automated scanning techniques have their limitations - Edgescan carefully evaluated the results of each tool and where possible, manually verified the existence of difficult to detect vulnerabilities to ensure accurate reporting.
Phase 2: Manual Vulnerability Validation
Where applicable, we validate all vulnerabilities in the target hosts. Both proprietary Edgescan and well-known, widely available techniques are used to attempt to circumvent selected systems’ security. Edgescan’s specific approach included the following:
- Configuration/Known weakness attacks – both inherently insecure services as well as necessary but poorly configured services are targeted during testing: attempts are made to exploit vulnerabilities in services such as NetBIOS, ftp, HTTP etc. Attempts to exploit password composition vulnerabilities may also be made through use of intelligent brute force utilities, if applicable.
- Known vulnerabilities – non-destructive validation techniques were employed, should a known vulnerability be detected in any of the underlying system stack, with the goal to escalate privileges within the system.
Testing Taxonomy
Edgescan offers continuous Dynamic Application Security Testing (DAST) integrated with deep-dive, business logic penetration testing through our Edgescan advanced license. This combination of production-safe, automated and manual testing on one platform, allow enterprises to tackle the ever-increasing demand for accurate and useful Application Security Testing (AST) intelligence. The vulnerability and test case taxonomy of our DAST and Penetration Testing services are outlined below.
| Edgescan Vulnerability Assessment - Including DAST and Network VM | |||
|
All OWASP Top 10 (2013, 2017) vulnerabilities |
HTTP caching control |
OS command injection |
Application framework - known vulnerabilities (spring / struts / zend / django / .net, etc.) |
|
HTTP header injection |
Persistent session cookie |
Brute force login screens (on request) |
Autocomplete attribute |
|
HTTP only session cookie |
Remote file inclusion (RFI) |
Buffer overflow |
HTTP response smuggling |
|
SANS Top 25 Software Errors |
Content spoofing / HTML hacking |
HTTP response splitting / pollution |
Server-side injection |
|
Functionality abuse |
Cookie access control |
Improper input handling |
SQL injection: error based, time based, Boolean conditional, MySQL, MSSQL, Oracle, etc. |
|
Cross site scripting (XSS) – reflected / stored |
Improper output encoding / content type encoding |
Unsecured session cookie |
Data / information leakage |
|
Improper file system access control |
URL redirect security |
Directory indexing |
Insufficient SSL / TLS / transport layer protection |
|
XML attribute security |
XML external entities |
State logic weakness |
DOM XSS |
|
Integer overflows |
XML injection and schema security |
File path traversal |
LDAP injection |
|
XPath injection |
|||
In addition to the Edgescan Standard (DAST) testing (above), penetration testing attempts to discover issues which scanners generally do not detect. The discovery of such issues is unique to Penetration Testing or using an Edgescan Advanced license, as the issues are contextual and require human intelligence to discover and exploit.
The additional manual testing that is performed during an Edgescan advanced test is outlined below.
|
Edgescan Advanced Penetration Testing |
||
|
Anti-automation assessment |
Credential / ID /session prediction |
Session fixation / expiration weakness |
|
Brute force |
Horizontal authorisation weakness (peer-to-peer) |
Weak password recovery |
|
Business logic weakness / functional abuse / state logic weakness |
Insecure indexing / direct object access |
|
Full Application Testing Taxonomy
|
Technical Vulnerabilities - WASC |
|||||
|
Application Misconfiguration |
[O-A6, API6] |
Buffer Overflow |
[S25-3, 20] |
Content Spoofing |
|
|
Cross Site Scripting |
[O-A7] [S25-4] |
Directory Indexing |
[S25-13] |
Path Traversal |
[S25-13] |
|
Fingerprinting |
Format String Attack |
[S25-23] |
Insecure Deserialization |
[O-A8] |
|
|
HTTP Request Smuggling |
HTTP Response Splitting |
[O-A1] |
Insufficient Logging / Monitoring |
[O-A10, API10s] |
|
|
Improper Filesystem Permissions |
[O-A6] [S25-17] |
Improper Input Handling |
Improper Output Handling |
||
|
Authentication Misconfiguration |
[O-A2, API2] |
Insufficient Transport Layer Protection |
Integer Overflows |
[S25-24] |
|
|
LDAP Injection |
[O-A1] |
Mail Command Injection |
[O-A1] |
Null Byte Injection |
[O-A1] |
|
Predictable Resource Location |
[O-A5] |
Remote File Inclusion |
Routing Detour |
||
|
OS Commanding & Injection |
[O-A1] [S25-2] |
Cryptographic Misconfiguration |
[S25-19] |
SOAP Array Abuse |
|
|
SQL Injection |
[O-A1] [S25-1] |
SSI Injection |
[O-A1] |
Server Misconfiguration |
[O-A6] |
|
URL Redirector Abuse |
[O-A10] [S25-22] |
XML Attribute Blowup |
XML Entity Expansion |
||
|
XML External Entities |
[O-A4] |
XML Injection |
[O-A1] |
XPath Injection |
[O-A1] |
|
XQuery Injection |
[O-A1] |
Password Storage Issues |
[O-A5] [S25-25] |
Direct URL Access |
[O-A8] |
|
Information Leakage |
[O-A3, API3] |
File Upload Abuse |
[S25-9] |
Lack of Resources / Rate Limiting |
[O-API4] |
|
Improper Assets Management |
[O-A6, API9] |
Mass Assignment |
[O-API6] |
Injection / Fuzzing (generic) |
[O-API8] |
|
Business Logic Flaws |
|||||
|
Abuse of Functionality |
|
Brute Force |
|
Credential/Session Prediction |
[O-A2, API2] |
|
Cross Site Request Forgery |
[S25-12] |
Insecure Indexing |
|
Insufficient Anti-automation |
|
|
Insufficient Authentication |
[O-A2, API2] [S25-5] |
Insufficient Autorization |
[O-A3, A5, API1, API5][S25-6, 10, 15] |
Insufficient Process Validation |
|
|
Insufficient Password Recovery |
[O-A2, API2] |
Insufficient Session Expiration |
[O-A2, API2] |
Session Fixation |
[O-A2] |
|
Best Practice |
|||||
|
Autocomplete Attribute |
[O-A6] |
Insufficient Cookie Access Control |
[O-A5] |
Insufficient Crossdomain Configuration |
[O-A6] |
|
Insufficient Password Protection |
[S25-21] |
Insufficient Password Strength |
|
Invalid HTTP Method Usage |
|
|
Non-Http Only Session Cookie |
[O-A6] |
Persistent Session Cookie |
|
Personally Identifiable Information |
[O-A3][S25-8] |
|
Secured Cachable HTTP Messages |
[O-A6] |
Unsecured Session Cookie |
[O-A6] |
|
|
|
Technical Vulnerabilities - OWASP Top 10 2017 |
Technical Vulnerabilities - OWASP API Security 10 2019 |
||||
|
A1 - Injection |
API1 2019 Broken Object Level Authorization |
||||
|
A2 - Broken Authentication |
API2 2019 Broken User Authentication |
||||
|
A3 - Sensitive Data Exposure |
API3 2019 Excessive Data Exposure |
||||
|
A4 - XML External Entities (XXE) |
API4 2019 Lack of Resources & Rate Limiting |
||||
|
A5 - Broken Access Control |
API5 2019 Broken Function Level Authorization |
||||
|
A6 - Security Misconfiguration |
API6 2019 Mass Assignment |
||||
|
A7 - Cross Site Scripting (XSS) |
API7 2019 Security Misconfiguration |
||||
|
A8 - Insecure Deserialization |
API8 2019 Injection |
||||
|
A9 - Using components with known vulnerabilities |
API9 2019 Improper Assets Management |
||||
|
A10 - Insufficient Logging & Monitoring |
API10 2019 Insufficient Logging & Monitoring |
||||
*O - OWASP Top 10 2017 or API 2019
*S25 - SANS Top 25 Programming Errors