Know Your Role(s)!

Too often, I've started a web application penetration test with one set of user credentials, a target application URL and it's off to the races. Not long after starting the test, it becomes apparent that I'll need at least one more set of credentials in order to properly test all of the application functionality.

It's important for the client and the tester to discuss key elements of the application prior to the start of the testing process. Elements such as what types of users exist on the system, or how users will interact with the application or each other, can help identify critical components that should be covered during the testing process. This isn't limited to the intended users either, accounts should be provisioned that cover different privilege levels, including administrative users, if they also interact with the same application. Supplying these test accounts allows testing of lateral and vertical (e.g. privilege escalation) authorization processes. If the tester isn't aware of these different user levels, then it's possible that potentially serious vulnerabilities can be missed.

I had a client recently that had web application testing performed in the past, but had only provisioned a single account to use during the testing process. During our scoping discussions, I learned that there were no administrative users, only "standard" accounts and I asked for a second test account to be created that I could use in addition to the original account. During testing, I discovered that there were vulnerabilities present in the way the application authorized changes that a user requested as part of a claim being submitted. Since the application didn't have any functionality where users might interact with each other, the client hadn't considered the possibility of a user accessing submissions belonging to another user. Had I not asked for that second account to be provided, it's possible that the vulnerability might have gone unnoticed.

If you're considering having a web application penetration test performed, it's important to discuss all of the user roles that are built into your application. This allows the tester to understand the functions available to different users and can test the lateral or vertical authorization processes that are handled by the application.