A Beginner’s Guide To Manual Web Application Security Testing

Web Application Security Testing

Security and web application testing is a complex field, and there are many different approaches to performing manual web application security testing. This article will explore the various ways that you can perform manual web application security testing, as well as the phases of this process. You will also learn about 11 steps that you can take to perform manual web application security testing for your own business or organization!

What Is Manual Web Application Security Testing?

Web application security testing is the process of identifying and targeting vulnerabilities inside a web application. This can be done manually or using automated tools, but the key aim is to identify any weaknesses that could be exploited by an attacker. When the web application security testing is done by hand or manually without any automated assistance it is referred to as manual web application security testing.

Different Ways To Perform Manual Web Application Security Testing

There are three ways to perform manual application security testing:

  • Black Box Testing: where you have no knowledge of the internal design or code and proceed with inputting data in an attempt to find vulnerabilities. This is considered to be one of the most important steps because it will test how much damage could be done if a hacker was able to exploit your web application. It’s best to use multiple different techniques when performing black box testing including fuzzing, automated scanners like Nessus, WebScarab (Burp Suite for Java) as well as static source code analysis tools such as Brakeman. Once issues are identified then they should be documented by creating proof of concepts that include step-by-step instructions on how to reproduce the issue.
  • Gray Box Testing: this is a combination of black-box testing and white box testing, where you have limited knowledge about the web application’s design or code but are provided with some information by your client that assists in discovering vulnerabilities more easily. For example, if an organization has written their own custom security scanning tools for use with manual penetration tests then they may provide them as part of gray box testing results so that testers can run scans against an already identified vulnerability quickly/easily which speeds up test time!
  • White Box Testing: This type of application security testing involves having full access to internal design documentation, source code, etc. What makes it different from black / gray box techniques is that there is no need to discover information from the client during a white box application security testing project. This is because you have already received all of this information upfront so vulnerability discovery becomes trivial and tests can be carried out more quickly since there’s less searching involved!

The 11 Steps To Perform Manual Web Application Security Testing

Manual application security testing can be a daunting task, but with the right approach, it can be extremely valuable in finding vulnerabilities that automated scanners may miss. Most importantly, have a solid methodology and stick to it!

1. Preparation/Planning: The first step of the manual application security testing methodology is to determine what information you need; this will depend on how much knowledge you already have about your target. For example, if it’s a new website then you’ll probably want to start by doing some reconnaissance on the business to learn more about their website, who runs it, and how you can contact them. You’ll also need to create a plan for testing by deciding what techniques will be used (black-box, gray-box, or white-box), and which targets should be tested first.

2. Discovery/Reconnaissance: The first step in any penetration testing is reconnaissance, where the tester gathers as much information about the target system as possible. This includes identifying open ports on systems, running scans for public data (such as banner grabbing), and looking for any clues that may help in later stages.

3. Enumeration: Once reconnaissance has been completed, the next step is enumeration which involves attempting to gain access to resources that were identified during the first stage. This often includes using brute-force methods to try and guess passwords, trying common exploits against known vulnerabilities (such as SQL injection), and dictionary attacks against user names.

4. Scoping: This phase includes creating an initial test matrix, defining the scope of each technique used, and deciding what will be tested first, etc. You should also create a list containing all URLs that you’ll need to crawl through, then prioritize them based on how interesting they are likely to be for your testing.

5. Attack Surface Analysis: This is where you’ll perform a deeper analysis of the URLs discovered during reconnaissance, identifying all possible attack vectors such as common web vulnerabilities (XSS, SQLi, etc.) and OS command injection attacks that could be used to compromise your target. You should also identify any interesting services or directories that may contain sensitive files.

6. Vulnerability Analysis: This is where you’ll focus on identifying specific vulnerabilities in the target web application. You should use a combination of manual and automated techniques to do this, such as using a vulnerability scanner or fuzzing tools.

7. Privilege Escalation Attacks: Once you’ve found some juicy targets (vulnerabilities) it’s time to start exploiting them! This is where privilege escalation attacks come in handy, as they can be used to gain access to systems or data that would otherwise be unavailable.

8. Exploitation: In this phase, the tester actually attempts to take control of the system by using information gathered from previous stages. This may include installing backdoors, creating new accounts with elevated privileges, or simply stealing data from the target system.

9. Containment: This phase involves assessing the impact of any vulnerabilities that were discovered and determining how to prevent them from being exploited. The tester must also determine what steps need to be taken in order to restore systems back into their original state if possible.

10. Cleanup/Recovery: After exploitation has been completed, it is important to clean up any mess that may have been left behind. This includes removing backdoors and tools that were installed, deleting test files, and restoring systems to their original state.

11. Reporting: Once the test has been completed, it is important to document any findings along with recommendations for remediating any vulnerabilities that were discovered as a result of the testing, in a report. You should also include advice on how to protect against future attacks. This can be used by the organization as evidence of its security posture and justification for ongoing spending on security in order to improve it.

This is a general guide to the process of performing manual application security testing and should not be considered as gospel. Every test will be different, but following these steps should give you a good foundation on which to build your own penetration testing methodology.


The manual application security testing methodology can be used for penetration tests, vulnerability assessments, or any other task that requires identifying and exploiting web application flaws. It’s great because you can adapt it to match your own skills & experience, but also because it’s completely customizable. It can be used to test any type of web application whether that’s an eCommerce portal or VPN service.

Leave a Reply

Your email address will not be published. Required fields are marked *